The newly release (Dec. 29th) Microsoft security update which addresses the “hash DoS” attack vulnerabilities imposes a limit of 1000 form parameters. Unfortunately this limit breaks “very large” forms (e.g. list of items with action links, e.g. 200 items with 5 checkboxes = 1000 form fields). I agree such large pages are not very common, nor ideally usable but they do exist (sometimes for good reason) and are rendered un-functional by the new patch.
Good info about the vulnrability/microsoft patch can be found here:
and
http://www.troyhunt.com/2011/12/has-hash-dos-patch-been-installed-on.html
Does anyone have ideas for how to efficiently convert legacy ASP.NET form pages, with >1000 form fields, to function on a patched system? (Aside from artificially limiting the “page size” to contain < 1000 fields)?
I heard back from Scott Guthrie with some informations that makes this a non-issue:
Correct – once the patch is applied it by default limits the number of individual form fields to be 1000 per HTTP post. This is well below any type of DoS threashold, and we felt was large enough for all but a few applications.
This limit is configurable, though, and so if you do have scenarios where you need to post more than 1000 fields you can increase it. You can do this by adding a setting into the
<appSettings>section of the web.config file for your application and setting the value appropriately.For example:
We’ve enabled this within so that you can set this in any application and not worry about it breaking on an un-patched server.
Hope this helps,
Scott