ASP.NET MS11-100：我怎样才能改变发布形式值的最大数量的限制？ [英] ASP.NET MS11-100: how can I change the limit on the maximum number of posted form values?

问题描述

微软最近（2011年12月29日）发布了一个更新来解决几个严重的安全漏洞在.NET Framework。一个接 MS11-100 介绍的修复程序暂时缓解潜在的DoS攻击涉及哈希表冲突。这似乎包含大量POST数据的此修复断裂的网页。在我们的例子中，在页面上有非常大的复选框列表。为什么会是这种情况？

一些非官方消息似乎表明，MS11-100地方500回发项目的限制。我找不到证实了这一点微软源。我知道视图状态和其他框架功能吃掉一些这方面的限​​制。是否有控制这个新限制的任何配置设置？我们可以使用复选框切换遥远，但它的工作原理相当好我们的特殊情况。我们也想申请的补丁，因为它可以防止其他一些讨厌的事情。

非官方源讨论500极限：

  

的公告通过向提供一个极限修复了DOS攻击向量
  可以为单一的HTTP POST提交的变量数
  请求。默认的限额为500应该是足够正常
  Web应用程序，但仍然低到足以抵消这次袭击
  在德国安全研究人员介绍。

编辑：源$ C ​​$ c。与实施例限制（这似乎是1000，而不是500）
创建一个标准的MVC应用程序，并添加以下code主索引视图：

  @using（Html.BeginForm（））
{
    ＆LT;字段集类=田＆GT;
        ＆LT; p =类提交＆GT;
            ＆LT;输入类型=提交值=提交/＆GT;
        ＆所述; / P＆GT;        @for（VAR I = 0; I＆LT; 1000;我++）
        {
            ＆LT; D​​IV＆GT; @ Html.CheckBox（CB+ i.ToString（），真）LT; / DIV＆GT;
        }
    ＆LT; /字段集＆GT;
}
 

这code修补程序之前工作过。它不工作后。该错误是：

  

[出现InvalidOperationException：操作无效由于目前
  对象的状态。]结果
  System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded（）
  +82 System.Web.HttpValueCollection.FillFromEn codedBytes（字节[]字节编码的编码）+111结果
  System.Web.Htt prequest.FillInFormCollection（）307

解决方案

尝试添加在web.config中此设置。我只是用ASP.NET MVC 2项目以及与此设置您的code不抛出这个测试在.NET 4.0：

 ＆LT;＆的appSettings GT;
  ＆LT;添加键=ASPNET：MaxHttpCollectionKeysVALUE =1001/＆GT;
＆LT; /的appSettings＆GT;
 

这应该现在的工作（已应用安全更新后）更改限制。

---

我还没有更新我的机器还，所以使用反射我查了HttpValueCollection类，它不具备 ThrowIfMaxHttpCollectionKeysExceeded 方法：

我安装 KB2656351 （更新.NET 4.0），重新加载组件的反射器和方法出现了：

所以这方法绝对是新的。我用的反射器的拆卸的选项，并从我可以从$ C $告诉c将其检查的AppSetting：

 如果（this.Count＆GT; = AppSettings.MaxHttpCollectionKeys）
{
  抛出新的InvalidOperationException异常（）;
}
 

如果它没有找到在web.config文件中的值后，将其设置为1000 System.Web.Util.AppSettings.EnsureSettingsLoaded （内部静态类）：

  _maxHttpCollectionKeys =了0x3e8;
 

---

此外，阿列克谢Gusarov啾啾有关此设置的前两天：

• http://twitter.com/#!/tr_tr_mitya/status/152473667102715904


• http://twitter.com/#!/tr_tr_mitya/status/152475158941138944

和 是一个官方回答一个Q＆安培; A与乔纳森·内斯（安全开发经理，MSRC）和皮特·沃斯（高级响应通信管理器，可信赖计算）：

  

问：AppSettings.MaxHttpCollectionKeys新的参数，
  包含窗体的最大条目数？

  
  

答：是的，这是

Microsoft recently (12-29-2011) released an update to address several serious security vulnerabilities in the .NET Framework. One of the fixes introduced by MS11-100 temporarily mitigates a potential DoS attack involving hash table collisions. It appears this fix breaks pages that contain a lot of POST data. In our case, on pages that have very large checkbox lists. Why would this be the case?

Some non-official sources seem to indicate that MS11-100 places a limit of 500 on postback items. I can't find a Microsoft source that confirms this. I know that View State and other framework features eat up some of this limit. Is there any configuration setting that controls this new limit? We could switch away from using checkboxes but it works rather well for our particular situation. We'd also like to apply the patch because it protects against some other nasty things.

Unofficial source discussing the 500 limit:

The bulletin fixes the DOS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 500 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany.

EDIT: Source code with example of limit (which appears to be 1,000, not 500) Create a standard MVC app and add the following code to the main index view:

@using (Html.BeginForm()) 
{
    <fieldset class="fields">
        <p class="submit">
            <input type="submit" value="Submit" />
        </p>

        @for (var i = 0; i < 1000; i++)
        {
            <div> @Html.CheckBox("cb" + i.ToString(), true) </div>
        } 
    </fieldset>
}

This code worked before the patch. It doesn't work after. The error is:

[InvalidOperationException: Operation is not valid due to the current state of the object.]
System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded() +82 System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding) +111
System.Web.HttpRequest.FillInFormCollection() +307

解决方案

Try adding this setting in web.config. I just tested this on .NET 4.0 with an ASP.NET MVC 2 project and with this setting your code doesn't throw:

<appSettings>
  <add key="aspnet:MaxHttpCollectionKeys" value="1001" />
</appSettings>

That should work now (after you have applied the security update) to change the limit.

---

I hadn't updated my machine yet, so using Reflector I checked the HttpValueCollection class, and it didn't have the ThrowIfMaxHttpCollectionKeysExceeded method:

I installed KB2656351 (update for .NET 4.0), reloaded the assemblies in Reflector and the method appeared:

So that method is definitely new. I used the Disassemble option in Reflector, and from what I can tell from the code it checks an AppSetting:

if (this.Count >= AppSettings.MaxHttpCollectionKeys)
{
  throw new InvalidOperationException();
}

If it doesn't find the value in the web.config file, it will set it to 1000 in System.Web.Util.AppSettings.EnsureSettingsLoaded (an internal static class):

 _maxHttpCollectionKeys = 0x3e8;

---

Also, Alexey Gusarov tweeted about this setting two days ago:

• http://twitter.com/#!/tr_tr_mitya/status/152473667102715904
• http://twitter.com/#!/tr_tr_mitya/status/152475158941138944

And here is an official answer from a Q&A with Jonathan Ness (Security Development Manager, MSRC) and Pete Voss (Sr. Response Communications Manager, Trustworthy Computing):

Q: Is AppSettings.MaxHttpCollectionKeys the new parameter that contains the maximum number of form entries?

A: Yes it is.

这篇关于ASP.NET MS11-100：我怎样才能改变发布形式值的最大数量的限制？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！