Last week I received a bug report from a client that a particular form was throwing a 500 error when trying to save. My initial investigations could not find any errors with the code even with full debugging turned on so I went looking out on the web for answers.
I remembered hearing a while ago that Adobe had plugged a security hole involving large forms. A quick search turned up this article from last year adobe-ships-patch-for-coldfusion-flaw-that-could-lead-to-dos-attacks.
The meat of this article was that a ColdFusion server could be vulnerable to a DOS attack from a form with a huge number of fields and that Adobe had addressed this in a patch (ColdFusion 9 Hotfix APSB12-06) by putting a limit of 100 on how many fields ColdFusion would try to process. Any form with more than 100 fields would not be processed and a 500 error would be thrown.
Sure enough when I checked I discovered that this forms had dynamically generated fields from a database table and that the number of fields being generated had now exceeded 100.
The solution is actually quite simple. To get around this limitation we simply increase the number of permitted form fields to a more realistic number for our needs.
To do this we modify the "neo-runtime.xml" file for each server instance.
For a standard server locate the file here.
For a enterprise server locate the file here for each server instance.
After first backing up the file, inside the neo-runtime.xml file locate the "postParametersLimit" entry and increase its value from 100.0 to a higher number, for example 200.0 . I have no idea why there is a decimal place in this figure but I left it in for safety.
If you can't find the postParametersLimit entry then locate the following entry:
100.0
Now add this entry immediately after it, remembering to up the value from 100 to whatever value you think sensible for your needs.
100.0
Now restart the server and test. Repeat this for every server/instance.