well you can put it in perspective, the default asp.net setting is 5000, which is obviously a lot higher than CF's 100 you are probably going to be safe putting it up higher, but you should tell your client to make sure they have something in place to stop that form being abused and DOS'ed
On Fri, Dec 12, 2014 at 4:11 PM, Chris <0404tow...@gmail.com> wrote: > > Nathan, Russ, thanks for the comments. > > The application with all the post parameters definitely needs a rewrite. > Our involvement is only in hosting it. The current owners want it to run > ... and we have to justify why the settings should or should not be > modified <sigh>. > > best regards, > Chris > > > On Thu, Dec 11, 2014 at 4:08 PM, Russ Michaels <r...@michaels.me.uk> > wrote: > > > > > > Also you need to consider why this limit exits. > > What would happen if your form with 2000 fields was dos attacked for > > example, have you tested it under load? > > If I wanted to take someone's site down, a form like That would be an > easy > > target. > > > > > > On Thu, Dec 11, 2014 at 18:36 PM, Nathan Strutz <str...@gmail.com> > wrote: > > > > > > I'm sorry that I don't have an answer to your question or a solution to > > your problem, but I just have to ask, is it possible that your > application > > just needs to adapt to what is a fairly standard security practice across > > the industry? It sounds like one of those jokes that ends in "just > because > > you can, it doesn't mean you should." What is this process that forces > you > > to submit over one thousand form fields in one POST? Perhaps you can > > serialize it into one big string that's parsed out on the server? You say > > it's for importing a spreadsheet - couldn't you import the whole > > spreadsheet file and use cfspreadsheet to do individual fields? I have > > trouble believing a user can even see 1000 items on a single page - did > you > > set up the whole spreadsheet as a grid with form fields like a1, a2, b1, > > b2? Can you piecemeal it and send partials via ajax, live, as the user > > updates them? > > > > You don't really have to answer, as interesting as it may be, but maybe > you > > can ask these questions internally and find some better kind of > > architecture to solve the problem. Good luck! > > > > On Thu Dec 11 2014 at 12:31:18 PM Chris <0404tow...@gmail.com > > <javascript:;>> > > wrote: > > > > > > > > Hi, we see the postParametersLimit (post request parameters) in CF11 is > > > 100, the same as in CF9. This is from the CF11 Lockdown Guide. > > > > > > Can anyone confirm the default limit is 100? That seems low, but > perhaps > > > Adobe did not change the hash methods or hash collision resolution > > methods. > > > > > > > > > We set postParametersLimit to 1,100 for CF9, and now have an > application > > > that wants 2,000! This is for regularly importing spreadsheets into a > > > database :-( > > > > > > thank you, > > > > > > Chris > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359837 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
