APSB12-06 and errors

Report · Mar 15, 2012

Since applying the latest security patch I am receiving the below events and it has broken two of our apps.

03/15 11:54:38 error ROOT CAUSE:

coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server.

at coldfusion.filter.FormScope.parseQueryString(FormScope.java:397)

at coldfusion.filter.FormScope.parsePostData(FormScope.java:346)

at coldfusion.filter.FormScope.fillForm(FormScope.java:296)

at coldfusion.filter.FusionContext.SymTab_initForRequest(FusionContext.java:377)

at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:33)

at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)

at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)

at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)

at coldfusion.CfmServlet.service(CfmServlet.java:200)

at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)

at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)

at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)

at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)

at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

at jrun.servlet.FilterChain.service(FilterChain.java:101)

at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)

at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)

at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)

at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)

at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)

at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)

at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

javax.servlet.ServletException: ROOT CAUSE:

coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server.

at coldfusion.filter.FormScope.parseQueryString(FormScope.java:397)

at coldfusion.filter.FormScope.parsePostData(FormScope.java:346)

at coldfusion.filter.FormScope.fillForm(FormScope.java:296)

at coldfusion.filter.FusionContext.SymTab_initForRequest(FusionContext.java:377)

at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:33)

at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)

at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)

at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)

at coldfusion.CfmServlet.service(CfmServlet.java:200)

at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)

at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)

at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)

at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)

at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

at jrun.servlet.FilterChain.service(FilterChain.java:101)

at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)

at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)

at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)

at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)

at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)

at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)

at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:70)

at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)

at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)

at jrun.servlet.FilterChain.service(FilterChain.java:101)

at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)

at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)

at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)

at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)

at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)

at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)

at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

03/15 11:54:38 error (JRun Service: ProxyService [jrun.servlet.jrpp.JRunProxyService@4c27d5bc]) JRunPRoxyServer.invokeRunnable:

java.lang.IllegalStateException

at jrun.servlet.JRunResponse.getWriter(JRunResponse.java:205)

at jrun.servlet.JRunResponse.sendError(JRunResponse.java:597)

at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:328)

at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)

at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)

at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)

at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

Report · Apr 20, 2012

This needs to be a per application setting and not just a global setting. We have forms with 300 form fields and from a security perspective, that shouldn't be the server baseline. Hopefully, CF10 will address this. Since this is called postParameterLimit, does anybody know if processing cfparam or cfqueryparam gets included in the count? If not, why not change the name to formFieldLimit?

Report · Apr 20, 2012

Stephen, no, it has nothing to do with those other “parameters”. That word is used generically throughout CFML and indeed IT in various ways (good ol’ parameterexists was the way to test for variable existence before isdefined). I suspect in this case the engineer picking it did so without any consideration of the use of the word elsewhere in CFML.

As for the name of the xml element, well, the hotfix is about form submissions, via an http post method, so the “formpost” part is at least technically correct, if perhaps not as user friendly as it could be. And then they needed a metric to count how many of those per request would be permitted, and they chose “parameter”. They could have chosen “count”, or perhaps others. So yes they could have picked “formfieldlimit”, or one might argue that even “formfieldcountlimit” would be more accurate. Or “formfieldmaxcount”, and so on.

But the name is a pretty low-priority issue, I think, and I doubt they’d revisit it. Just one person’s opinion. We’ve just not seen much from Adobe on this issue here, so I’m just offering at least one reply for you sine you feel the matter deserves consideration. Hope that’s helpful.

/charlie

/Charlie (troubleshooter, carehart. org)

Report · Apr 20, 2012

Stephen, you won’t find this setting there, until you apply this fix.

Like Dan, I’m curious where you’re getting your 15 from. You seem quite confident. When you say “if the setting has been there, it was set at 15”. So do you mean, in some of your servers, in that xml file, you find that setting, and it’s set at 15? You or someone there had to have put it there, from everything I know about this issue.

/charlie

/Charlie (troubleshooter, carehart. org)

Report · Apr 20, 2012

Charlie,

We applied the hotfix to all of our servers (10) and 2 had a value of 15 and the rest didn't even have the setting. I am the only one who has attempted to modify the neo file, so I am fairly confident in my findings. We ended up rolling back to hotfix 3 on most of the servers because of the high form field count. As far as the naming, it is a very low priority issue. I still think it should be an application level setting (this.postParametersLimit) to allow admins to set a low default value and overide on a per application basis.

As always, thanks for taking the time to respond.

Cheers,

Steve

Report · Apr 20, 2012

Fair enough, Stephen, and thanks for the kind regards. But do you understand that the setting can only get there if you put it there (whether it’s there at all, or there with a value of 15)?

This is discussed in note 5 in the technote, http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html. You just seem to be asserting that it got there somehow another way. It cannot. And if it’s not there, than as the note indicates, the default is 100. You only need add the xml element if you want to change that.

As for hoping it might be made more app-level instead, I can appreciate the value in that. We can hope that the Adobe engineers will see this and consider it. But you may be better off filing that as an enhancement request, at https://bugbase.adobe.com/.

Hope that’s helpful.

/charlie

/Charlie (troubleshooter, carehart. org)

Report · Jun 20, 2012

We encountered the "coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server." error after a fresh installation of ColdFusion 9.0.2 (the edition without Verity).

The CF9 Administrator does not have a setting for this option (whereas the CF10 Administrator does), so we edited the neo-runtime.xml file to increase the parameter to 5000.0 as suggested above and that solved the issue for us.

Report · Jun 20, 2012

Ben - actually I think 9.0.2 does now have a setting for this in the ColdFusion administrator, it was listed in the release notes, I have not yet tried 9.0.2 so I can't confirm.

--

Pete Freitag

Foundeo Inc. | HackMyCF.com

Report · Jun 21, 2012

We can all wish it was so, Pete, but sadly, no.

http://helpx.adobe.com/coldfusion/release-note/coldfusion-9-0-update-2.html#ChangestoColdFusionAdministrator

“The setting is not exposed in the ColdFusion Administrator console, but it can be modified in the neo-runtime.xml file.”

Perhaps it may be offered in another updater some day.

/charlie

/Charlie (troubleshooter, carehart. org)

Report · Jun 21, 2012

Thanks for checking/clarifying charlie - I obviously misread that note as The setting is *now* exposed...

Report · Feb 21, 2013

Does anyone know if it's possible to read this setting procedurally, even with undocumented APIs? Our support staff has access to a code execution environment on some remote servers, and wants to be able to check it.

Thanks,

Dave

Report · Feb 25, 2013

Yes, Dave, by way of the AdminAPI, which is available in both Standard and Enterprise editions of CF. See the runtime.cfc’s getRuntimeProperty method. Here’s one very simplistic example of code to get it: just change it to your user CF Admin password.

/charlie

/Charlie (troubleshooter, carehart. org)

Report · Feb 26, 2013

Thanks for getting back, and for the general steer, but the code in your post got eaten. I tried the code below (which probably also won't come through), but the result is undefined. My guess is that all I need is the right name for that parameter, assuming it's readable via the API. If you or anyone else knows where I could find docs or other info on this, it'd be great.

Dave

createObject("component","cfide.adminapi.administrator").login("triangle99");

runtime = createObject("component","CFIDE.adminapi.runtime");

prop = runtime.GetRuntimeProperty("postParametersLimit");

</cfscript>

Report · Feb 26, 2013

Bummer. I hate when that happens (that forums or mailing lists hide or munge code when we offer it.) Here it is again, without the opening and closing brackets (and sure, it could be done as pure CFSCRIPT as well):

cfset createobject("component","CFIDE.adminapi.administrator").login('youradminpw')

cfdump var="#createobject("component","CFIDE.adminapi.runtime").getRuntimeProperty("PostParametersLimit")#"

Curiously, yours came through fine (did you enter yours in the web-based forum interface? I am replying by email), and I see that your code is essentially the same. It worked for me, so I would say that if the value is empty for you, that means it’s NOT defined (in the neo-runtime.xml), which of course it’s not by default in CF 9. You have to add it. If you may feel you did add it, then I would propose you may have added it in a way that it’s not being recognized. You have to be sure to enter the XML just as offered in the technote. It’s best to find the one for postsizelimit, and duplicate it, and then modify the duplicated version.

Hope that helps.

/charlie

/Charlie (troubleshooter, carehart. org)