Published:
Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.
Last week I received a bug report from a client that a particular form was throwing a 500 error when trying to save. My initial investigations could not find any errors with the code even with full debugging turned on so I went looking out on the web for answers.
ColdFusion patch blocks large form submissions.
I remembered hearing a while ago that Adobe had plugged a security hole involving large forms. A quick search turned up this article from last year adobe-ships-patch-for-coldfusion-flaw-that-could-lead-to-dos-attacks.
The meat of this article was that a ColdFusion server could be vulnerable to a DOS attack from a form with a huge number of fields and that Adobe had addressed this in a patch (ColdFusion 9 Hotfix APSB12-06) by putting a limit of 100 on how many fields ColdFusion would try to process. Any form with more than 100 fields would not be processed and a 500 error would be thrown.
Sure enough when I checked I discovered that this forms had dynamically generated fields from a database table and that the number of fields being generated had now exceeded 100.
Modify neo-runtime.xml to increase number of permitted form fields
The solution is actually quite simple. To get around this limitation we simply increase the number of permitted form fields to a more realistic number for our needs.
To do this we modify the "neo-runtime.xml" file for each server instance.
Standard Server
For a standard server locate the file here.
Enterprise Server
For a enterprise server locate the file here for each server instance.
Add/Modify the 'postParametersLimit' setting
After first backing up the file, inside the neo-runtime.xml file locate the "postParametersLimit" entry and increase its value from 100.0 to a higher number, for example 200.0 . I have no idea why there is a decimal place in this figure but I left it in for safety.
If you can't find the postParametersLimit entry then locate the following entry:
<var name='postSizeLimit'><number>100.0</number></var>
Now add this entry immediately after it, remembering to up the value from 100 to whatever value you think sensible for your needs.
<var name='postParametersLimit'><number>100.0</number></var>
Now restart the server and test. Repeat this for every server/instance.
Reader Comments
Tuesday, April 23, 2013 at 8:49:13 AM Coordinated Universal Time
It'd almost be nice if you could override this in application.cfc or something. We ran into this at work and had to increase the setting on the server, which hosted 100's of applications but only needed the setting increased for 1 app.
Monday, July 21, 2014 at 12:25:58 PM Coordinated Universal Time
Thanks so much for this post. I was having a heck of a time troubleshooting this before I found your post. Thankfully adjusting the post limit is much easier in CF 10:
In ColdFusion 10 Administrator:
Server Settings / Settings / Request Size Limits / Maximum number of POST request parameters
Saturday, October 4, 2014 at 7:15:28 AM Coordinated Universal Time
Thanks - worked a treat!
Tuesday, May 19, 2015 at 12:13:42 PM Coordinated Universal Time
Is it possible to change the 'postSizeLimit' in application.cfm?