We have a webform with 50 conditions. Trying to save conditions resulted in user being banned on the site for a while. It turned out it that the reason this happened is that the web hotel has installed ModSecurity. More specifically, it was a rule disallowing more than 1000 arguments in a request that triggered. Disabling the rule made it possible to save conditions without being banned.

The reason to disallow requests with many arguments is to prevent DoS attacks.
In this article, it is advocated to do that (In the section "Restrict the Number of ARGS")
https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Mitigati...(CVE-2011-3414)/

If it is possible to change the module so it does not send that many arguments in a single request, it will prevent others from running into the same problem. Otherwise, it would probably be a good idea to document the problem as a known caveat. Or perhaps the module could detect that this is the problem and report accordingly

By the way, the server responded with an Ajax error.
StatusText: Forbidden.

ResponseText:
403 Forbidden
Forbidden
You do not have permission to access this document.
Web Server at lejeguiden.dk

Comments

rosell.dk created an issue. See original summary.

DanChadwick’s picture

DanChadwick CreditAttribution: DanChadwick commented
Category: Bug report » Support request
Status: Active » Fixed

Webform does report when the max_input_vars exceeds the limit, which is normally set at 1000. The page cannot be re-written without a loss of functionality.

This issue can serve as documentation, or someone can write a page in the community documentation for webform.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.