Author: Steven Neiland
Published:

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Last week I received a bug report from a client that a particular form was throwing a 500 error when trying to save. My initial investigations could not find any errors with the code even with full debugging turned on so I went looking out on the web for answers.

ColdFusion patch blocks large form submissions.

I remembered hearing a while ago that Adobe had plugged a security hole involving large forms. A quick search turned up this article from last year adobe-ships-patch-for-coldfusion-flaw-that-could-lead-to-dos-attacks.

The meat of this article was that a ColdFusion server could be vulnerable to a DOS attack from a form with a huge number of fields and that Adobe had addressed this in a patch (ColdFusion 9 Hotfix APSB12-06) by putting a limit of 100 on how many fields ColdFusion would try to process. Any form with more than 100 fields would not be processed and a 500 error would be thrown.

Sure enough when I checked I discovered that this forms had dynamically generated fields from a database table and that the number of fields being generated had now exceeded 100.

Modify neo-runtime xml to increase number of permitted form fields

The solution is actually quite simple. To get around this limitation we simply increase the number of permitted form fields to a more realistic number for our needs.

To do this we modify the "neo-runtime xml" file for each server instance.

Standard Server

For a standard server locate the file here.

{ColdFusion-Home}/lib/neo-runtime xml

Enterprise Server

For a enterprise server locate the file here for each server instance.

{ColdFusion-Instance-Home}/WEB-INF/cfusion/lib/neo-runtime xml

Add/Modify the 'postParametersLimit' setting

After first backing up the file, inside the neo-runtime xml file locate the "postParametersLimit" entry and increase its value from 100.0 to a higher number, for example 200.0 . I have no idea why there is a decimal place in this figure but I left it in for safety.

If you can't find the postParametersLimit entry then locate the following entry:

<var name='postSizeLimit'><number>100.0</number></var>

Now add this entry immediately after it, remembering to up the value from 100 to whatever value you think sensible for your needs.

<var name='postParametersLimit'><number>100.0</number></var>

Now restart the server and test. Repeat this for every server/instance.

What Do You Think?

Reader Comments

Jim Priest's Gravatar
Jim Priest
Tuesday, April 23, 2013 at 8:49:13 AM EDT

It'd almost be nice if you could override this in application.cfc or something. We ran into this at work and had to increase the setting on the server, which hosted 100's of applications but only needed the setting increased for 1 app.

Dan Johnson's Gravatar
Dan Johnson
Monday, July 21, 2014 at 12:25:58 PM EDT

Thanks so much for this post. I was having a heck of a time troubleshooting this before I found your post. Thankfully adjusting the post limit is much easier in CF 10:
In ColdFusion 10 Administrator:
Server Settings / Settings / Request Size Limits / Maximum number of POST request parameters

Dave's Gravatar
Dave
Saturday, October 4, 2014 at 7:15:28 AM EDT

Thanks - worked a treat!

Jay Smith's Gravatar
Jay Smith
Tuesday, May 19, 2015 at 12:13:42 PM EDT

Is it possible to change the 'postSizeLimit' in application.cfm?

Post a Comment

Comment Etiquette:

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain or appear to be advertisments, will not be published.
  • Comments that appear to be created for the purpose of linkbuilding to commercial sites will be removed.

We are all adults here so play nice.

*
*



Archives Blog Listing

Tag Listing

Learn CF In A Week

Treehouse

 
Fork me on GitHub