Avoid "hash algorithm collision" http://www.ocert.org/advisories/ocert-2011-003.html
support keys limit size and allow keys for Avoid "hash algorithm coll…
honestly i dont think anyone will use these settings, you would need to set them in so many places, and those security people even admitted they've never seen it done in practice
If I use connect, I only put these settings into query and bodyParser middlewares if they support options argument.
If a query string contain too many key-value pairs, and I dont want to set a request body size too small, I think these limit settings would be helpful.
Out security member has just implement the "hash algorithm collision" in V8.
And test success in our nodejs web application using Express.
I will send the test codes to your email later, you can check it out.
im not saying it cant be done, there are many other attacks as well, im just saying they never even found it performed in practice. you could also do it with formidable, with json(), with urlencoded(), with querystring(), there are too many vectors to cover
fixed limit options not use int split() bug