On Thu, Sep 13, 2012 at 11:24 AM, Brian Thornton <[email protected]>wrote:
> > It was a field max to limit crsf.. number of fields is limited or allowed > by W3c standards so I strongly doubt that to be changed I this case.. > This particular hotfix does not do anything to limit the number of form fields submitted, however a previous hotfix did - ABSP12-06 which added the postParameterLimit setting to neo-runtime.xml - this value defaults to 100 so submitting 53 form fields should not trigger it (unless you lowered the default value). Note that if you installed the latest hotfix you also installed this one because the security hotfixes are mostly cumulative (for 9.0.1 at least). This was added to mitigate the effects of the HashDos vulnerability, see more about that here: http://www.petefreitag.com/item/808.cfm I'm not sure how limiting the number of fields would limit a CSRF attack, can you explain? Also I'm not aware of a standard limiting the number of fields, but please prove me wrong if there is one. There are limits on the size of the URL imposed by browsers, and in some HTML specifications but in the HTTP RFC it says "The HTTP protocol does not place any a priori limit on the length of a URI" http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 -- I'm not aware of any standard limiting the size or number of fields of a FORM post in the HTTP protocol, my understanding is that it is up to the server to determine what is acceptable. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352577 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
