Archive: Posts Tagged ‘KB2656356 / MS11-100’

Unexpected: Throw If Max Http Collection Keys Exceeded

1 comment April 24th, 2012

On Dec 29, 2011, Microsoft released a security update KB2656356 / MS11-100 (http://technet.microsoft.com/en-us/security/bulletin/ms11-100) for ASP.NET to address a potential Denial of Service vulnerability.

In the update, they introduced a limit to the number of data elements on an ASP.NET form.   The default limit is 1000 data elements which can be easily met by complex 3rd party or custom webparts

Exceeding the limit will cause a ThrowIfMaxHttpCollectionKeysExceeded error.

After applying the patch, forms that exceed the limit will generate the following error (in ULS Log) attempting to configure/manipulate the webparts attributes :

System.Web.HttpException: The URL-encoded form data is not valid. —> System.InvalidOperationException: Operation is not valid due to the current state of the object.

at System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()

at System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)

at System.Web.HttpRequest.FillInFormCollection()

Add the following to the web.config of all web front end servers in your farm:

<appsettings>

<add key=”aspnet:MaxHttpCollectionKeys” value=”10000″></add>

[</appsettings>

After the above is added, your various webparts should begin functioning normally.