Nathan, Russ, thanks for the comments. The application with all the post parameters definitely needs a rewrite. Our involvement is only in hosting it. The current owners want it to run ... and we have to justify why the settings should or should not be modified <sigh>.
best regards, Chris On Thu, Dec 11, 2014 at 4:08 PM, Russ Michaels <[email protected]> wrote: > > > Also you need to consider why this limit exits. > What would happen if your form with 2000 fields was dos attacked for > example, have you tested it under load? > If I wanted to take someone's site down, a form like That would be an easy > target. > > > On Thu, Dec 11, 2014 at 18:36 PM, Nathan Strutz <[email protected]> wrote: > > > I'm sorry that I don't have an answer to your question or a solution to > your problem, but I just have to ask, is it possible that your application > just needs to adapt to what is a fairly standard security practice across > the industry? It sounds like one of those jokes that ends in "just because > you can, it doesn't mean you should." What is this process that forces you > to submit over one thousand form fields in one POST? Perhaps you can > serialize it into one big string that's parsed out on the server? You say > it's for importing a spreadsheet - couldn't you import the whole > spreadsheet file and use cfspreadsheet to do individual fields? I have > trouble believing a user can even see 1000 items on a single page - did you > set up the whole spreadsheet as a grid with form fields like a1, a2, b1, > b2? Can you piecemeal it and send partials via ajax, live, as the user > updates them? > > You don't really have to answer, as interesting as it may be, but maybe you > can ask these questions internally and find some better kind of > architecture to solve the problem. Good luck! > > On Thu Dec 11 2014 at 12:31:18 PM Chris <[email protected] > <javascript:;>> > wrote: > > > > > Hi, we see the postParametersLimit (post request parameters) in CF11 is > > 100, the same as in CF9. This is from the CF11 Lockdown Guide. > > > > Can anyone confirm the default limit is 100? That seems low, but perhaps > > Adobe did not change the hash methods or hash collision resolution > methods. > > > > > > We set postParametersLimit to 1,100 for CF9, and now have an application > > that wants 2,000! This is for regularly importing spreadsheets into a > > database :-( > > > > thank you, > > > > Chris > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359836 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

