Inspiring

Question

Issue with remove function parameters on CF 2023 Update 15

Forum|Forum|2 months ago
November 5, 2025
3 replies
564 views

Let me start, I do know about the changes in Update 14 related to "extra" arguments, and this is not the same issue, but I think it might be related. The error is that a paramerter can not be found when making a call to a remote function in a CFC.

Here is the top of the function definition:

I am getting an error about " The DATASOURCE parameter to the getTable function is required but was not passed in.".

Where this gets more complicated is that we encrypt all the data in our URL's. So the call to the CFC looks like:
https://server/AgentListPolicies.cfc?EUDATA=... encrypted string ....

Then during the processing of application.cfm, we take the encrypted string, decrypt it and put all the variables from the string in the URL scope. Doing a <CFDump var="#url#"> after the decryption, I can see all the variables

struct
Datasource	MYdataSource
Password	XXXXXX
Username	XXXXXX
method	getTable

This code has worked up until Update 15 on CF 2023. I did uninstall back to Update 12 and installed each update one by one and it worked fine on Update 14, but as soon as I install Update 15 it fails. So this is something that specifically changed in Update 15 of ColdFusion 2023. I did also try update 16, with the same issue as 15. We started at 16 and after the issue we went back starting at 12 and doing each update one at a time with full WSConfig and clearing of all cached files.

I am guessing that it is something about what/when the code is looking at the arguments in determining if they are passed. Up to this point, it has seemed to be after the processing of application.cfm.

I can do:

https://server/AgentListPolicies.cfc?EUDATA=... encrypted string ....&DataSource=&Username=&Password=

Where I pass in blank in the URL and my decription code overrites the blank with the needed value. It is using the values from my decryption code puts into the URL scope without issue. What is weird is that the Method name is in the encrypted data and the EUDATA is in the URL scope until my decrpytion code runs, and I remove it from the URL scope at the same time that I add in the other variables. I have tried with and without the Dcoldfusion.runtime.remotemethod.matchArguments=false flag with no difference.

We use the URL encryption in a lot of places of the code, so we can not add in blank values for all URL calls. I can change the code on this function to make those arguments optional and then check in the code that they are set. I can come up with several ways around this, but I am hoping there is some new setting/configuration argument that I am missing that might resolve this issue.

Is there anything I am missing before I post this to Adobe support?

Thank you.

BKBK

Community Expert

@matthewl20646694 , is it possible for you to update your original post? If so, then could you please change the word "remove" in the title to "remote"? That will help future developers searching for the subject on the web.

Charlie Arehart

Community Expert

Matthew, that's certainly some interesting gymnastics you've had to go through.

I'd like to focus on your last point. You say you added Dcoldfusion.runtime.remotemethod.matchArguments=false but it didn't help. First, let's confirm that is indeed set as you think it is. If you just dump the server.systemproperties, it will show you a few dozen things--among which will be any such JVM args, whether set by you in the CF admin or jvm.config. But there are also others that CF sets, and ones that the OS and Java and Tomcat set that are shown. So look for the ones starting with "coldfusion."

And I've created a github jist of some code to do just that for you. See it here.

BTW, I was writing that and this up while I see you offered your next reply with examples. I may not have time soon to try that, but perhaps others will. In the meantime, please do run that code I offer and see if you DO see that env var set. If not, you'll want to pursue why it's not set when you thought it was.

Granted, fixing your code would be better, but I suspect you'd like to do the update if not for this problem, so if the JVM arg DOES work for you then it DOES allow you to proceed. Then maybe your example will help Adobe or us here to see what it is about your code that doesn't work without it.

/Charlie (troubleshooter, carehart. org)

matthewl20646694Author

Inspiring

I did get Docker running on my local machine, so I was able to test my sample against both CF2023 and CF2025 current version (most recent patch).

I did do as you suggested for outputting the flags.
coldfusion.datasource.blocked.properties = allowLoadLocalInfile,allowUrlInLocalInfile,autoDeserialize
*coldfusion.home = /opt/coldfusion/cfusion/bin/..
*coldfusion.jsafe.defaultalgo = FIPS186Random
*coldfusion.libPath = /opt/coldfusion/cfusion/bin/../lib
*coldfusion.rootDir = /opt/coldfusion/cfusion/bin/..
coldfusion.runtime.remotemethod.matchArguments = false

Tried with it set and not set (with CF restarts of CF within the docker after changing the setting). I still got the same error message:

The PARAM1 parameter to the TestFunc function is required but was not passed in.
The error occurred on line -1.

I tweaked the code to add in an error handler and a link on the test page that is not encrypted. So I added a total of four links:
* Encrypted Link

* Encrypted Link with Extra Parameter

* Regular Link

* Regular Link with extra Parameter

What was interesting is that when I did not have the JVM argument in place (related to extra parameter) on the Encrypted link with the extra parameter, it errored about the extra parameter before checking for the required parameter. (Function TestFunc does not support param2 as an argument in /app/TestCFC.cfc - The error occurred on line -1.) Obviously this is know because of all the details about Cf 2023 Update 14 and this specific argument.

Changing the code is not ideal, because I am giving a simple example here, but we do this throughout our entire application, and any remote CFC call that we make would have this same issue. This is just the fisrt place we ran into it and worked through debugging it.

Thanks.

Community Expert

Thank you very much for your thought and time on this. I really do appreciate it.

The error message, "Call is missing Param1" is an indication that it knows the specific function I am calling. I can change the parameter name, and it will change the message to match the parameter name. So if there was an issue with using this encryption on the method name, then it would not know the name of the parameter that is missing.

While this simple example, moving the decryption into the function and using EUData as the argument might be an option, but this would have to happen in a lot of template in my application, because just about every link that goes through a user's browser on the application uses this technique. I also do not use encryption when the server is making a call back to itself, so a change in each function would require a large amount of code changes.

If I was just starting to try to implement this, then I would agree with a lot of what you have said and handle it very differently. The big issue is that this technique has been working for me and other people for a long time and only just now broke with a very specific update patch applied from Adobe. From talking with support, they did not seem to indicate that this was intentional or something they were purposefuly doing, but it is hard to know since I have only dealt with the first level support and they may not know as much.

As for doing this all with the application.cfm, the purpose of doing it there is that the rest of the code does not have to do anything special or be aware of anything happening at all. It happens "auto-magically". While this sample was using Application.cfm, we do have several application within our code, and several of the mdo use application.cfm and the decryption is done on the the request start. My companies main application started back in 2000 and has just evolved over the years. We have used better techniques in various parts of our application, but some of the core code, there was just no compelling reason to modify.

I am just hoping not to have to change hundreds of templates because of a change that adobe did not intend to make. If they come back and this was an intentional change, then yes I will probably use a lot of the changes dicussed on this thread.

Thank you.

Hi @matthewl20646694 , thanks for the clarification. It confirms that my understanding of the intention of the code has been correct right from the start. However, I think I haven't yet convinced you that there are possible loopholes in the reasoning and in the design of your code. There actually are. They could do with some improvement.

Before we get to the root-cause of the issue, let me show you that I understand what is going on. What I understand is essentially as follows. The code that is causing the issue involves a CFC, a test CFM and Application.cfm. The test CFM contains a link to a remote call to the CFC:

test.cfm

<!--- 
The query-string consists of the requested CFC method and 4 URL variables and their respective values.
The entire query-string is url-encoded, then encrypted.
The link represents a remote call to the CFC.
In the call, the query-string has been replaced by just one variable, EUData=#UrlEncodedEncryptedQueryString#,
--->
<CFSet queryString = "Method=TestFunc&Param1=Param1Value&Param2=Param2Value&Param3=Param3Value&Param4=Param4Value">
<CFSet encryptedQueryString = encrypt(queryString,"PjzF/tm6q3FB+jtYUsLXqzJMYsdCSBwd3cvtYfyTeuo=",'AES', 'Base64')>
<cfset UrlEncodedEncryptedQueryString = encodeForURL(encryptedQueryString)>
<CFOutput>
    The encrypted link:  <a href="./TestCFC.cfc?EUData=#UrlEncodedEncryptedQueryString#">Test Link</a><br>
</CFOutput>

TestCFC.cfc

<cfcomponent>
    <cffunction name="testfunc" access="remote" returntype="void">
	    <cfargument name="param1" required="yes">
    
    </cffunction>
</cfcomponent>

Application.cfm

<!---
The remote URL request is intercepted here.
The main (single) URL variable, EUData, is decrypted and its constituent parts extracted.

(Note: Though the constituent parts consist of the 5 name-value pairs from the original query-string in the test CFM, they are themselves NOT URL variables. 
The only URL variable ColdFusion knows at this point is URL.EUData.) 

The decrypted string is parsed, from which URL variables are set, among which, 

<cfset url.method = "testFunc">
<cfset url.param1= "Param1Value">
<cfset url.param2= "Param2Value">
<cfset url.param3= "Param3Value">
<cfset url.param4= "Param4Value">
--->

The issue:

When you run test.cfm and click on the link, you get the error "The PARAM1 parameter to the testFunc function is required but was not passed in.". You're getting the error after Update 14 of ColdFusion 2023. The code worked without any issues on previous updates.

I hope that shows you I understand what the issue is. Then I will say that the cause of the issue is clear. Following Update 14 of ColdFusion 2023, remote CFC calls have become stricter. If the remotely invoked CFC method contains a required argument, then that argument must be present as one of the parameters in the query-string. Otherwise you will get an error.

Now comes what I consider to be the root cause of the error you're getting. In using Application.cfm to intercept the URL request, you're effectively doing a URL-rewrite. As far as ColdFusion is concerned, the only URL variable it knows is EUData. The variable URL.method does NOT yet exist.

The root cause is that, rightly or wrongly, ColdFusion is preprogrammed to validate the remote CFC method the moment url.method is defined. That is, the moment it encounters:

<cfset url.method = "testFunc">

That is what happens in your case. Apparently, that line of code confuses ColdFusion into thinking that method=testFunc is part of the query-string coming from the browser. But then it misses the required parameter. Hence the error.

Here's much simpler code to reproduce the behaviour:

test.cfm

<CFSet queryString = "Method=TestFunc&ParamX=ParamXValue">
<CFSet encryptedQueryString = encrypt(queryString,"PjzF/tm6q3FB+jtYUsLXqzJMYsdCSBwd3cvtYfyTeuo=",'AES', 'Base64')>
<cfset UrlEncodedEncryoptedQueryString = encodeForURL(encryptedQueryString)>
<CFOutput>
    The encrypted link:  <a href="./TestCFC.cfc?EUData=#UrlEncodedEncryoptedQueryString#">Test Link</a><br>
</CFOutput>

TestCFC.cfc

<cfcomponent>
    <cffunction name="testfunc" access="remote" returntype="void">
	    <cfargument name="paramX" required="yes">
    
    </cffunction>
</cfcomponent>

Application.cfc

<cfcomponent>
<cfset this.name = "RemoteCFCTestApp">

<cffunction name="onApplicationStart" returntype="boolean">
		
<cfreturn true>
</cffunction>

<cffunction name="onRequestStart" returntype="boolean">
 	<cfargument name = "targetPage" type="String" required="true"> 	

 	<!--- 
 	The next line automatically triggers validation of the remote call testFunc().
    If the function happens to have a required argument, you will get an error.
 	--->
 	<cfset url.method="testFunc">
 	<!---<cfset url.paramX="ParamXValue">--->
 		
 	<cfreturn true>
</cffunction>
 
</cfcomponent>

That such things happened "auto-magically" is a clear sign that you were taking risks. One little change or bug-fix in ColdFusion, and the whole pack of cards may come crashing down.

As a workaround, here's one of my suggestions once again: include method=testFunc transparently in the link from the browser..That is,

In test.cfm

Here is Encrypted link:  <a href="./TestCFC.cfc?method=testFunc&EUData=#encryptedURLData#">Test Link</a>

In TestCFC.cfc

<CFArgument name="EUData" required="yes">

matthewl20646694Author

Inspiring

I did submit this to CF Support, but maybe someone knows something I am missing or maybe someone else is having issues similar.

I have tried to distill all the code into a sample test file that people can try locally. Since I am not allowed to attach CFM file, they are just named to .txt file, but remove that from each of the files and put in a single directory. Please do not criticize the code, I was trying to extract out the relevant parts from a lot more complicated code to demonstrate the issue.

The application.cfm file just has a decrpyiton function that is called and then thge URL scope is dumped. The CFC just dumps the value of the argument passed in. When you open test.cfm, you will get a link, that is something like:
http://localhost/testenc/TestCFC.cfc?EUData=6eFox1UuBTPKiJyP0tznAWKmBsa1%2FbYY7diE3BJ607HdztvuoEW6UcHTmH5ehV%2FFhKRR8EfqqCkAfn4TmEuPoxgEpudIIyGMetZsW67v3Mg%3D

Where all the parameters of the URL are in an encrypted string.

Unfortunately, I was only able to test this on a CF 2023 Update 14 server since they will not reinstall Update 15 or 16 right now, so I can only verify that it works correctly on a CF 2023 Update 14 machine, but not that it fails on an Update 15/16 server. I am trying to get one setup that I can verify on, and also use later to test if people have suggestions or support has any suggestions.

Any thoughts are appreciated.

TestCFC-cfc.txt

application-cfm.txt

test-cfm.txt

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded