Tuesday, January 31, 2012

ASP.NET limits the number of form variables

Did your form post suddenly stop working?

On Dec. 29, 2011, Microsoft released a security fix through Windows Update (MS11-100). Among other things, this fix limits the maximum number of form variables, files, and JSON members in an HTTP request to 1000.

As described in http://support.microsoft.com/kb/2661403, HTTP clients that make these kinds of large requests will be denied, and an error message will appear in the web browser. The error message will usually have an HTTP 500 status code.

But the catch is, the only true indication that you're encountering this problem is the specific exception stack trace visible in the event log (or in the rendered ASP.NET page, if your web.config <customErrors mode="..."> allows it).  An example:
[InvalidOperationException: Operation is not valid due to the current state of the object.]
   System.Web.HttpRequest.FillInFormCollection() +468
   System.Web.HttpRequest.get_Form() +79
   System.Web.HttpRequest.get_HasForm() +73
   System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +54
   System.Web.UI.Page.DeterminePostBackMode() +90
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +268

This new Microsoft limit can be configured on a per-application basis in web.config. In the <appSettings> section, add a new key for "aspnet:MaxHttpCollectionKeys" with an appropriately large value for your specific site:
 <add key="aspnet:MaxHttpCollectionKeys" value="2000" />

There is a separate limit for JSON members:
 <add key="aspnet:MaxJsonDeserializerMembers" value="2000" />

Note: If you are using ASP.NET 1.1, the setting is adjusted by adding a DWORD value to registry keys; see http://support.microsoft.com/kb/2661403.

No comments:

Post a Comment