On Dec 29, 2011, Microsoft released a security update KB2656356 / MS11-100 for ASP.NET to address a potential Denial of Service vulnerability. In the update, Microsoft introduced a limit to the number of data elements on an ASP.NET form. The default limit is 1000 data elements. Exceeding the limit will cause a ThrowIfMaxHttpCollectionKeysExceeded error.
After applying the patch to your webserver, forms that exceed the limit will generate the following error when posting:
System.Web.HttpException: The URL-encoded form data is not valid. —> System.InvalidOperationException: Operation is not valid due to the current state of the object.
at System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()
at System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)
at System.Web.HttpRequest.FillInFormCollection()
To change the default MaxHttpCollectionKeys limit, add the following to your web.config file in the appSettings section and put a large value. If it isn’t big enough, make it bigger:
<appsettings>
<add key=”aspnet:MaxHttpCollectionKeys” value=”2000″></add>
</appsettings>
References
December 2011 Out-Of-Band Security Bulletin Webcast Q&A
Keywords
.net dotnet appSettings asp.net
See our .Net Development Page for information on .net development consulting and outsourcing.