Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET MS11-100: how can I change the limit on the maximum number of posted form values?

Try adding this setting in web.config. I just tested this on .NET 4.0 with an ASP.NET MVC 2 project and with this setting your code doesn't throw:

<appSettings>
  <add key="aspnet:MaxHttpCollectionKeys" value="1001" />
</appSettings>

That should work now (after you have applied the security update) to change the limit.


I hadn't updated my machine yet, so using Reflector I checked the HttpValueCollection class, and it didn't have the ThrowIfMaxHttpCollectionKeysExceeded method:

enter image description here

I installed KB2656351 (update for .NET 4.0), reloaded the assemblies in Reflector and the method appeared:

enter image description here

So that method is definitely new. I used the Disassemble option in Reflector, and from what I can tell from the code it checks an AppSetting:

if (this.Count >= AppSettings.MaxHttpCollectionKeys)
{
  throw new InvalidOperationException();
}

If it doesn't find the value in the web.config file, it will set it to 1000 in System.Web.Util.AppSettings.EnsureSettingsLoaded (an internal static class):

 _maxHttpCollectionKeys = 0x3e8;

Also, Alexey Gusarov tweeted about this setting two days ago:

  • http://twitter.com/#!/tr_tr_mitya/status/152473667102715904
  • http://twitter.com/#!/tr_tr_mitya/status/152475158941138944

And here is an official answer from a Q&A with Jonathan Ness (Security Development Manager, MSRC) and Pete Voss (Sr. Response Communications Manager, Trustworthy Computing):

Q: Is AppSettings.MaxHttpCollectionKeys the new parameter that contains the maximum number of form entries?

A: Yes it is.


For those of you still using .NET 1.1, this setting is not configured via web.config - it is a registry setting (hat tip to michielvoo, as I only discovered this through Reflector the same way he found the answer). The example below sets MaxHttpCollectionKeys to 5000 on 32-bit editions of Windows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\1.1.4322.0]
"MaxHttpCollectionKeys"=dword:00001388

For a 64-bit Windows edition, set the key under the Wow6432Node:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ASP.NET\1.1.4322.0]
"MaxHttpCollectionKeys"=dword:00001388

I just want to add my $0.02 here for people seeing the weirdness.

If your application stashes page information into ASP.NET ViewState, and exceeds the web server threshold, you're going to run into this problem. Rather than applying the web.config fix problem straight away you might want to take a look at optimizing your code first.

View Source, and look for 1000+ viewstate hidden fields, and you've got your problem.


ThrowIfMaxHttpCollectionKeysExceeded() has also been added to the System.Web.HttpCookieCollection.

It looks like when HttpCookieCollection.Get() is called, it's internally calling HttpCookieCollection.AddCookie(), which then is calling ThrowIfMaxHttpCollectionKeysExceeded().

public HttpCookie Get(string name)
{
    HttpCookie cookie = (HttpCookie) base.BaseGet(name);
    if ((cookie == null) && (this._response != null))
    {
        cookie = new HttpCookie(name);
        this.AddCookie(cookie, true);
        this._response.OnCookieAdd(cookie);
    }
    return cookie;
}

internal void AddCookie(HttpCookie cookie, bool append)
{
    this.ThrowIfMaxHttpCollectionKeysExceeded();
    this._all = null;
    this._allKeys = null;
    if (append)
    {
        cookie.Added = true;
        base.BaseAdd(cookie.Name, cookie);
    }
    else
    {
        if (base.BaseGet(cookie.Name) != null)
        {
            cookie.Changed = true;
        }
        base.BaseSet(cookie.Name, cookie);
    }
}

What we're seeing is that over a period of a couple of hours the website gets progressively slower and buggier, until it starts throwing the InvalidOperationExcpetion. We then recycle the app-pool, which fixes the issue for a few more hours.


If you're using ASP.NET CORE you can set this setting inside Startup#ConfigureServices

services.Configure<FormOptions>(options => options.ValueCountLimit = 1000); // you may want to adjust this limit

Reference: StackOverflow