ASP.NET MS11-100: how can I change the limit on the maximum number of posted form values?

by

Try adding this setting in web.config. I just tested this on .NET 4.0 with an ASP.NET MVC 2 project and with this setting your code doesn’t throw:

<appSettings>
  <add key="aspnet:MaxHttpCollectionKeys" value="1001" />
</appSettings>

That should work now (after you have applied the security update) to change the limit.

I hadn’t updated my machine yet, so using Reflector I checked the HttpValueCollection class, and it didn’t have the ThrowIfMaxHttpCollectionKeysExceeded method:

enter image description here

I installed KB2656351 (update for .NET 4.0), reloaded the assemblies in Reflector and the method appeared:

enter image description here

So that method is definitely new. I used the Disassemble option in Reflector, and from what I can tell from the code it checks an AppSetting:

if (this.Count >= AppSettings.MaxHttpCollectionKeys)
{
  throw new InvalidOperationException();
}

If it doesn’t find the value in the web.config file, it will set it to 1000 in System.Web.Util.AppSettings.EnsureSettingsLoaded (an internal static class):

 _maxHttpCollectionKeys = 0x3e8;

Also, Alexey Gusarov tweeted about this setting two days ago:

And here is an official answer from a Q&A with Jonathan Ness (Security Development Manager, MSRC) and Pete Voss (Sr. Response Communications Manager, Trustworthy Computing):

Q: Is AppSettings.MaxHttpCollectionKeys the new parameter that
contains the maximum number of form entries?

A: Yes it is.

More Related Contents:

  1. Maximum default POST request size of IIS 7 – how to increase 64kB/65kB limit?
  2. Are Parameters really enough to prevent Sql injections?
  3. Access-control-allow-origin with multiple domains
  4. Receiving login prompt using integrated windows authentication
  5. How can I force entity framework to insert identity columns?
  6. ASP.Net error: “The type ‘foo’ exists in both “temp1.dll” and “temp2.dll”
  7. Call ASP.NET PageMethod/WebMethod with jQuery – returns whole page
  8. Custom Authorization in Asp.net WebApi – what a mess?
  9. Store/assign roles of authenticated users
  10. How to pass a datetime parameter?
  11. thread messaging system database schema design
  12. Passing session data between ASP.NET Applications
  13. Windows Authentication for ASP.NET MVC 4 – how it works, how to test it
  14. How to Customize ASP.NET Web API AuthorizeAttribute for Unusual Requirements
  15. Nested ASP.NET ‘application’ within IIS inheriting parent config values?
  16. ASP.net session request queuing
  17. How to get Client Machine’s Mac Address in a Web application
  18. How to disable browser cache in ASP.NET core rc2?
  19. Does it help to use NGEN?
  20. Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan
  21. ASP.NET Core change EF connection string when user logs in
  22. Difference between DropDownlist or DropDownListFor Html helper
  23. ASP.net MVC4 WebApi route with file-name in it
  24. calling an ascx page method using jquery
  25. How should I detect the MIME type of an uploaded file in ASP.NET?
  26. “Exception has been thrown by the target of an invocation” error (mscorlib)
  27. How to forcefully set IE’s Compatibility Mode off from the server-side?
  28. How do I get msdeploy to create App_Data if it doesn’t exist, but not delete any contents of the remote directory?
  29. How to do AsyncPostBackTrigger for the LinkButton in the Repeater
  30. How does Html.Raw MVC helper work?

Leave a Comment