Re: postSizeLimit and postParameterLimit
On Thu, Mar 28, 2013 at 11:26 PM, Justin Hansen jhan...@uhlig.com wrote: There is a bit of a debate going on, I was hoping the community could chime in... What is a reasonable limit for the postSizeLimit and postParameterLimit settings (aka maximum number of form fields)? 100, 1,000, 10,000? Tomcat has a default value of 1 for a somewhat equivalent parameter (maxParameterCount): http://tomcat.apache.org/tomcat-7.0-doc/config/http.html -- Mack ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355194 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: postSizeLimit and postParameterLimit
What is a reasonable limit for the postSizeLimit and postParameterLimit settings (aka maximum number of form fields)? 100, 1,000, 10,000? On the one hand, we have a dynamic form with LOTS of fields. This is/was a business requirement, it grew over time, it hit the limit, again. Of course we could spend days/hours rewriting the code, or we can just up the limit and move on. (Yes, eventually it should get re-written, but that's not the point of this inquiry.) On the other hand, we have security. The security camp says, the lower the better. Is raising the limit from say 5,000 to 6,000 really going to hurt us from a security point of view? How? Why? I have looked around and seen many a blog post about the settings. However, I haven't see any information on what a good rule of thumb should be. Just where should we draw the line? How high is too high and why? It should be a bit larger, at least, than your largest form. That's the only rule of thumb I can give you. The goal of this setting is to prevent submission of large forms that you are presumably not expecting to process. If you allow people to submit very large forms, they could build their own HTTP POST with large amounts of data which may effectively keep your server from doing anything else. But if you actually have large forms that you want to process, that's perfectly reasonable and you should be allowed to do so. I'm a pretty security-conscious person, and I'd recommend you simply increase the limit to allow your current form to work. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355195 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
postSizeLimit and postParameterLimit
There is a bit of a debate going on, I was hoping the community could chime in... What is a reasonable limit for the postSizeLimit and postParameterLimit settings (aka maximum number of form fields)? 100, 1,000, 10,000? On the one hand, we have a dynamic form with LOTS of fields. This is/was a business requirement, it grew over time, it hit the limit, again. Of course we could spend days/hours rewriting the code, or we can just up the limit and move on. (Yes, eventually it should get re-written, but that's not the point of this inquiry.) On the other hand, we have security. The security camp says, the lower the better. Is raising the limit from say 5,000 to 6,000 really going to hurt us from a security point of view? How? Why? I have looked around and seen many a blog post about the settings. However, I haven't see any information on what a good rule of thumb should be. Just where should we draw the line? How high is too high and why? Ready? Fight... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355192 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm