Skip to main content
M
matthewl20646694
Inspiring
November 5, 2025
Question

Issue with remove function parameters on CF 2023 Update 15

  • November 5, 2025
  • 3 replies
  • 559 views

Let me start, I do know about the changes in Update 14 related to "extra" arguments, and this is not the same issue, but I think it might be related.  The error is that a paramerter can not be found when making a call to a remote function in a CFC.  

 

Here is the top of the function definition:

    <CFFunction name="getTable" access="remote">
      <CFArgument name="Datasource" required="yes">
      <CFArgument name="Username" required="yes">
      <CFArgument name="Password" required="yes">
 
I am getting an error about " The DATASOURCE parameter to the getTable function is required but was not passed in.".  
 
Where this gets more complicated is that we encrypt all the data in our URL's.  So the call to the CFC looks like:
https://server/AgentListPolicies.cfc?EUDATA=... encrypted string ....
 
Then during the processing of application.cfm, we take the encrypted string, decrypt it and put all the variables from the string in the URL scope.  Doing a <CFDump var="#url#"> after the decryption, I can see all the variables
struct
DatasourceMYdataSource
PasswordXXXXXX
UsernameXXXXXX
methodgetTable

 

This code has worked up until Update 15 on CF 2023.  I did uninstall back to Update 12 and installed each update one by one and it worked fine on Update 14, but as soon as I install Update 15 it fails.  So this is something that specifically changed in Update 15 of ColdFusion 2023.  I did also try update 16, with the same issue as 15.  We started at 16 and after the issue we went back starting at 12 and doing each update one at a time with full WSConfig and clearing of all cached files.  

 

I am guessing that it is something about what/when the code is looking at the arguments in determining if they are passed.  Up to this point, it has seemed to be after the processing of application.cfm.  

 

I can do:

https://server/AgentListPolicies.cfc?EUDATA=... encrypted string ....&DataSource=&Username=&Password=

Where I pass in blank in the URL and my decription code overrites the blank with the needed value.  It is using the values from my decryption code puts into the URL scope without issue.  What is weird is that the Method name is in the encrypted data and the EUDATA is in the URL scope until my decrpytion code runs, and I remove it from the URL scope at the same time that I add in the other variables.  I have tried with and without the Dcoldfusion.runtime.remotemethod.matchArguments=false flag with no difference.  

 

We use the URL encryption in a lot of places of the code, so we can not add in blank values for all URL calls.  I can change the code on this function to make those arguments optional and then check in the code that they are set.  I can come up with several ways around this, but I am hoping there is some new setting/configuration argument that I am missing that might resolve this issue.  

 

 

Is there anything I am missing before I post this to Adobe support?  

 

Thank you.  

 

 

    3 replies

    BKBK
    BKBK
    Community Expert
    November 21, 2025

    @matthewl20646694 , is it possible for you to update your original post? If so, then could you please change the word "remove" in the title to "remote"? That will help future developers searching for the subject on the web.

    Charlie Arehart
    Charlie Arehart
    Community Expert
    November 5, 2025

    Matthew, that's certainly some interesting gymnastics you've had to go through.

     

    I'd like to focus on your last point. You say you added Dcoldfusion.runtime.remotemethod.matchArguments=false but it didn't help. First, let's confirm that is indeed set as you think it is. If you just dump the server.systemproperties, it will show you a few dozen things--among which will be any such JVM args, whether set by you in the CF admin or jvm.config. But there are also others that CF sets, and ones that the OS and Java and Tomcat set that are shown. So look for the ones starting with "coldfusion."

     

    And I've created a github jist of some code to do just that for you. See it here.

     

    BTW, I was writing that and this up while I see you offered your next reply with examples. I may not have time soon to try that, but perhaps others will. In the meantime, please do run that code I offer and see if you DO see that env var set. If not, you'll want to pursue why it's not set when you thought it was.

     

    Granted, fixing your code would be better, but I suspect you'd like to do the update if not for this problem, so if the JVM arg DOES work for you then it DOES allow you to proceed. Then maybe your example will help Adobe or us here to see what it is about your code that doesn't work without it.

    /Charlie (troubleshooter, carehart. org)
    M
    matthewl20646694Author
    Inspiring
    November 5, 2025

    I did get Docker running on my local machine, so I was able to test my sample against both CF2023 and CF2025 current version (most recent patch).  

     

    I did do as you suggested for outputting the flags.  
    coldfusion.datasource.blocked.properties = allowLoadLocalInfile,allowUrlInLocalInfile,autoDeserialize
    *coldfusion.home = /opt/coldfusion/cfusion/bin/..
    *coldfusion.jsafe.defaultalgo = FIPS186Random
    *coldfusion.libPath = /opt/coldfusion/cfusion/bin/../lib
    *coldfusion.rootDir = /opt/coldfusion/cfusion/bin/..
    coldfusion.runtime.remotemethod.matchArguments = false

     

    Tried with it set and not set (with CF restarts of CF within the docker after changing the setting).  I still got the same error message:

    The PARAM1 parameter to the TestFunc function is required but was not passed in.
    The error occurred on line -1.


    I tweaked the code to add in an error handler and a link on the test page that is not encrypted.  So I added a total of four links:
    * Encrypted Link

    * Encrypted Link with Extra Parameter

    * Regular Link

    * Regular Link with extra Parameter 

     

    What was interesting is that when I did not have the JVM argument in place (related to extra parameter) on the Encrypted link with the extra parameter, it errored about the extra parameter before checking for the required parameter.  (Function TestFunc does not support param2 as an argument in /app/TestCFC.cfc - The error occurred on line -1.)  Obviously this is know because of all the details about Cf 2023 Update 14 and this specific argument.  

     

    Changing the code is not ideal, because I am giving a simple example here, but we do this throughout our entire application, and any remote CFC call that we make would have this same issue.  This is just the fisrt place we ran into it and worked through debugging it.  

     

    Thanks.  

     

     

    BKBK
    BKBK
    Community Expert
    November 10, 2025

    I do not think that is true.  

     

    I have switcxhed over to using application.cfc, to see if that made a difference.  I have in there:

        public boolean function onRequestStart(required string targetPage) {
            DecryptData();
            url.method="TestFunc";
            return true;
        }
     
    Then on the test page, I did a link of:
    ./TestCFC.cfc?EUData=#encodeForURL(encrypt("Param1=Test","#request.ParameterEncryptionKey#",'AES', 'Base64'))#
    So the Method is not included in the URL (encrypted or not).  I only set the url.method after the data is decrypted.  And I continue to get "The PARAM1 parameter to the TestFunc function is required but was not passed in.".  So at the end of processing the OnRequestStart, it has the method and all the arguments in place on the URL scope but fails.  And it did not know that I wanted that method until after everything else.  BUT since it specifically referencesin Param1, it do know the method that I want to use.  
     
    It is like they are getting the URL scope into some internal variable, then starting user code processing with application.cfm.  It uses the user accessible URL scope when it gets into the CFC to determine the method and if there are any extra arguments.  But then for the actual data, it is going back to some pre-user code variable to get the actual values.  
     
    Removing all the encryption, call the CFC, but do not pass any variables.  Then in the application.cfc on request start, set the parameters you need and the method.  On update 14 and before, this would work.  
     
    I did a link of:
    ./TestCFC.cfc?bSetInApp=true
    Then in my application.cfc I have:
        public boolean function onRequestStart(required string targetPage) {
            if(structKeyExists(url, "bSetInApp") AND url.bSetInApp EQ true){
                structDelete(url, "bSetInApp");
                url.method="TestFunc";
                url.Param1="test2";
            } else {
                DecryptData();
                url.method="TestFunc";
            }
            return true;
        }
    I tried this on the SP14 version of CF and it came back without a problem.  On Current version it gives the same error about " The PARAM1 parameter to the TestFunc function is required but was not passed in.".  So it gets the METHOD name from where I set it in the application.cfc, but it does not get/read the parameters set there. 
     
    I was getting excited and hopeful for a moment...  so close...


    At this point, I do not think there are any “common” code changes that can be done without going into every remote function and link and changing the behavior.  I am just waiting for Adobe to say either “This was on purpose for security and it will not change back”...  or “we did not mean for that change in behavior and we will consider changing it back”  or “we did not mean for that change, but it will remain as it is” 
     
    Thanks.  
     
     
     

     I  am surprised you start by saying, "I do not think that is true. "  After that, you actually proceed to reproduce the exact situation I had described.

     

    In short, the root-cause is:
    In the ColdFusion build where you encounter the issue, the line 

    <!--- 
Remotely requested CFC method which has at least one "required" argument 
--->
<cfset url.method="testFunc">

    automatically triggers ColdFusion to validate the method for required arguments.

     

    Your conclusion is:

    quote

    ... it gives the same error about " The PARAM1 parameter to the TestFunc function is required but was not passed in.".  So it gets the METHOD name from where I set it in the application.cfc, but it does not get/read the parameters set there. 


    By @matthewl20646694

     

    That is the same as my conclusion about the root-cause:
    "The root cause is that, rightly or wrongly, ColdFusion is preprogrammed to validate the remote CFC method the moment url.method is defined. That is, the moment it encounters:

    <cfset url.method = "testFunc">

     
    That is what happens in your case. Apparently, that line of code confuses ColdFusion into thinking that method=testFunc is part of the query-string coming from the browser. But then it misses the required parameter. Hence the error."

     

    As I said, it might help to share my latest explanation with your contact at Adobe. They should be aware that, in the latest ColdFusion 2023 build, the assignment url.method = "myMethod" automatically triggers validation of the method. They could then tell you whether that is an intentional change, or an unintentional side-effect or bug that needs to be fixed..

    M
    matthewl20646694Author
    Inspiring
    November 5, 2025

    I did submit this to CF Support, but maybe someone knows something I am missing or maybe someone else is having issues similar.  

     

    I have tried to distill all the code into a sample test file that people can try locally.  Since I am not allowed to attach CFM file, they are just named to .txt file, but remove that from each of the files and put in a single directory.  Please do not criticize the code, I was trying to extract out the relevant parts from a lot more complicated code to demonstrate the issue.  

    The application.cfm file just has a decrpyiton function that is called and then thge URL scope is dumped.  The CFC just dumps the value of the argument passed in.  When you open test.cfm, you will get a link, that is something like:
    http://localhost/testenc/TestCFC.cfc?EUData=6eFox1UuBTPKiJyP0tznAWKmBsa1%2FbYY7diE3BJ607HdztvuoEW6UcHTmH5ehV%2FFhKRR8EfqqCkAfn4TmEuPoxgEpudIIyGMetZsW67v3Mg%3D

    Where all the parameters of the URL are in an encrypted string.  

    Unfortunately, I was only able to test this on a CF 2023 Update 14 server since they will not reinstall Update 15 or 16 right now, so I can only verify that it works correctly on a CF 2023 Update 14 machine, but not that it fails on an Update 15/16 server.  I am trying to get one setup that I can verify on, and also use later to test if people have suggestions or support has any suggestions.  

     

    Any thoughts are appreciated.  

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices