Skip to main content
M
matthewl20646694
Inspiring
November 5, 2025
Question

Issue with remove function parameters on CF 2023 Update 15

  • November 5, 2025
  • 3 replies
  • 559 views

Let me start, I do know about the changes in Update 14 related to "extra" arguments, and this is not the same issue, but I think it might be related.  The error is that a paramerter can not be found when making a call to a remote function in a CFC.  

 

Here is the top of the function definition:

    <CFFunction name="getTable" access="remote">
      <CFArgument name="Datasource" required="yes">
      <CFArgument name="Username" required="yes">
      <CFArgument name="Password" required="yes">
 
I am getting an error about " The DATASOURCE parameter to the getTable function is required but was not passed in.".  
 
Where this gets more complicated is that we encrypt all the data in our URL's.  So the call to the CFC looks like:
https://server/AgentListPolicies.cfc?EUDATA=... encrypted string ....
 
Then during the processing of application.cfm, we take the encrypted string, decrypt it and put all the variables from the string in the URL scope.  Doing a <CFDump var="#url#"> after the decryption, I can see all the variables
struct
DatasourceMYdataSource
PasswordXXXXXX
UsernameXXXXXX
methodgetTable

 

This code has worked up until Update 15 on CF 2023.  I did uninstall back to Update 12 and installed each update one by one and it worked fine on Update 14, but as soon as I install Update 15 it fails.  So this is something that specifically changed in Update 15 of ColdFusion 2023.  I did also try update 16, with the same issue as 15.  We started at 16 and after the issue we went back starting at 12 and doing each update one at a time with full WSConfig and clearing of all cached files.  

 

I am guessing that it is something about what/when the code is looking at the arguments in determining if they are passed.  Up to this point, it has seemed to be after the processing of application.cfm.  

 

I can do:

https://server/AgentListPolicies.cfc?EUDATA=... encrypted string ....&DataSource=&Username=&Password=

Where I pass in blank in the URL and my decription code overrites the blank with the needed value.  It is using the values from my decryption code puts into the URL scope without issue.  What is weird is that the Method name is in the encrypted data and the EUDATA is in the URL scope until my decrpytion code runs, and I remove it from the URL scope at the same time that I add in the other variables.  I have tried with and without the Dcoldfusion.runtime.remotemethod.matchArguments=false flag with no difference.  

 

We use the URL encryption in a lot of places of the code, so we can not add in blank values for all URL calls.  I can change the code on this function to make those arguments optional and then check in the code that they are set.  I can come up with several ways around this, but I am hoping there is some new setting/configuration argument that I am missing that might resolve this issue.  

 

 

Is there anything I am missing before I post this to Adobe support?  

 

Thank you.  

 

 

    3 replies

    BKBK
    BKBK
    Community Expert
    November 21, 2025

    @matthewl20646694 , is it possible for you to update your original post? If so, then could you please change the word "remove" in the title to "remote"? That will help future developers searching for the subject on the web.

    Charlie Arehart
    Charlie Arehart
    Community Expert
    November 5, 2025

    Matthew, that's certainly some interesting gymnastics you've had to go through.

     

    I'd like to focus on your last point. You say you added Dcoldfusion.runtime.remotemethod.matchArguments=false but it didn't help. First, let's confirm that is indeed set as you think it is. If you just dump the server.systemproperties, it will show you a few dozen things--among which will be any such JVM args, whether set by you in the CF admin or jvm.config. But there are also others that CF sets, and ones that the OS and Java and Tomcat set that are shown. So look for the ones starting with "coldfusion."

     

    And I've created a github jist of some code to do just that for you. See it here.

     

    BTW, I was writing that and this up while I see you offered your next reply with examples. I may not have time soon to try that, but perhaps others will. In the meantime, please do run that code I offer and see if you DO see that env var set. If not, you'll want to pursue why it's not set when you thought it was.

     

    Granted, fixing your code would be better, but I suspect you'd like to do the update if not for this problem, so if the JVM arg DOES work for you then it DOES allow you to proceed. Then maybe your example will help Adobe or us here to see what it is about your code that doesn't work without it.

    /Charlie (troubleshooter, carehart. org)
    M
    matthewl20646694Author
    Inspiring
    November 5, 2025

    I did get Docker running on my local machine, so I was able to test my sample against both CF2023 and CF2025 current version (most recent patch).  

     

    I did do as you suggested for outputting the flags.  
    coldfusion.datasource.blocked.properties = allowLoadLocalInfile,allowUrlInLocalInfile,autoDeserialize
    *coldfusion.home = /opt/coldfusion/cfusion/bin/..
    *coldfusion.jsafe.defaultalgo = FIPS186Random
    *coldfusion.libPath = /opt/coldfusion/cfusion/bin/../lib
    *coldfusion.rootDir = /opt/coldfusion/cfusion/bin/..
    coldfusion.runtime.remotemethod.matchArguments = false

     

    Tried with it set and not set (with CF restarts of CF within the docker after changing the setting).  I still got the same error message:

    The PARAM1 parameter to the TestFunc function is required but was not passed in.
    The error occurred on line -1.


    I tweaked the code to add in an error handler and a link on the test page that is not encrypted.  So I added a total of four links:
    * Encrypted Link

    * Encrypted Link with Extra Parameter

    * Regular Link

    * Regular Link with extra Parameter 

     

    What was interesting is that when I did not have the JVM argument in place (related to extra parameter) on the Encrypted link with the extra parameter, it errored about the extra parameter before checking for the required parameter.  (Function TestFunc does not support param2 as an argument in /app/TestCFC.cfc - The error occurred on line -1.)  Obviously this is know because of all the details about Cf 2023 Update 14 and this specific argument.  

     

    Changing the code is not ideal, because I am giving a simple example here, but we do this throughout our entire application, and any remote CFC call that we make would have this same issue.  This is just the fisrt place we ran into it and worked through debugging it.  

     

    Thanks.  

     

     

    BKBK
    BKBK
    Community Expert
    November 8, 2025

    Thank you for the reply.  I very much appreciate your time and thoughts on this.  

     

    First off, this is just sample code, the actual code is embeded in templates with a lot more going on, so I was actively trying to just extract enough logic so that I could show the issue.  It is not what I would normally want for regular production code.   Most of the issues that you mention are avoiding/working around the actual issue that I ma trying to get at, that ColdFusion does not seem to be looking at the URL scope when looking at the remote function call.  It does for the new "Extra Parameter" issue disuccssed related to Update 14, but this is sort of the opposite problem.  

     

    You mentioned about replacing my request parameter of Key with "#generateSecretKey('AES')#​".  The problem with that is that the page that generats the link would have a differnt key than the page trying to decrypt it.  The code works so that you encrypt the data with a given key, and then that key is used for decryption.  If you call the Generate key on every page call, then they would not match.  

    I think that you may be right about too many Encode for URL, but it is working, and as I said, I do not have that in my real code.  

     

    EUData is designed to be an encrypted string that has regular key/value URL pairs of data encrypted with in.  So the link would look like:
    TestCFC.cfc?EUData=ui9eTHvdhYo6opbyLfU2rGKmBsa1%2FbYY7diE3BJ607HdztvuoEW6UcHTmH5ehV%2FFEKlO0eisUGYKXHeBfxyx5GXd0vqgq%2BmvICY%2BT3E%2FXdU%3D

    But, once it is run through the decryption it would look the same as:
    TestCFC.cfc?Method=TestFunc&Param1=Test
    The decryption function gets rid of EUData from the URL scope, so that is why it is not needed in the function definition.  By the time that the code reaches the function it only has Method and Param1 left in the URL scope.  

     

    As for using Application.cfm / Application.cfc, I do use both in our application, and it does not really impact things, since all that I am done in this sample is defining a function and then calling it to decrypt the data.  This is done very differnetly in production, but I was just trying to create a simple example here.  

     

    I do have a call with Adobe support to talk thorugh the issue, and will update here if there is any update after that discussion.  As Charlie pointed out, this was identified and reported a few months back after Update 15 but there is no change in Update 16.  

     

    Thank you.  

     

     


    quote

    EUData is designed to be an encrypted string that has regular key/value URL pairs of data encrypted with in.  So the link would look like:
    TestCFC.cfc?EUData=ui9eTHvdhYo6opbyLfU2rGKmBsa1%2FbYY7diE3BJ607HdztvuoEW6UcHTmH5ehV%2FFEKlO0eisUGYKXHeBfxyx5GXd0vqgq%2BmvICY%2BT3E%2FXdU%3D

    By @matthewl20646694


    I did understand that. I hope you can see it implies the following: calling a CFC remotely without passing the method. That might be a problem.

    I suggested the following correction, which contains the essence of your code:

    • In test.cfm
    Here is Encrypted link:  <a href="./TestCFC.cfc?method=TestFunc&EUDATA=#encryptedURLData#">Test Link</a>
    •  In TestCFC.cfc
    <CFArgument name="EUData" required="yes">

     

    M
    matthewl20646694Author
    Inspiring
    November 5, 2025

    I did submit this to CF Support, but maybe someone knows something I am missing or maybe someone else is having issues similar.  

     

    I have tried to distill all the code into a sample test file that people can try locally.  Since I am not allowed to attach CFM file, they are just named to .txt file, but remove that from each of the files and put in a single directory.  Please do not criticize the code, I was trying to extract out the relevant parts from a lot more complicated code to demonstrate the issue.  

    The application.cfm file just has a decrpyiton function that is called and then thge URL scope is dumped.  The CFC just dumps the value of the argument passed in.  When you open test.cfm, you will get a link, that is something like:
    http://localhost/testenc/TestCFC.cfc?EUData=6eFox1UuBTPKiJyP0tznAWKmBsa1%2FbYY7diE3BJ607HdztvuoEW6UcHTmH5ehV%2FFhKRR8EfqqCkAfn4TmEuPoxgEpudIIyGMetZsW67v3Mg%3D

    Where all the parameters of the URL are in an encrypted string.  

    Unfortunately, I was only able to test this on a CF 2023 Update 14 server since they will not reinstall Update 15 or 16 right now, so I can only verify that it works correctly on a CF 2023 Update 14 machine, but not that it fails on an Update 15/16 server.  I am trying to get one setup that I can verify on, and also use later to test if people have suggestions or support has any suggestions.  

     

    Any thoughts are appreciated.  

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices