Issue with remote function parameters on CF 2023 Update 15

I did get Docker running on my local machine, so I was able to test my sample against both CF2023 and CF2025 current version (most recent patch).  

I did do as you suggested for outputting the flags.  
coldfusion.datasource.blocked.properties = allowLoadLocalInfile,allowUrlInLocalInfile,autoDeserialize
*coldfusion.home = /opt/coldfusion/cfusion/bin/..
*coldfusion.jsafe.defaultalgo = FIPS186Random
*coldfusion.libPath = /opt/coldfusion/cfusion/bin/../lib
*coldfusion.rootDir = /opt/coldfusion/cfusion/bin/..
coldfusion.runtime.remotemethod.matchArguments = false

Tried with it set and not set (with CF restarts of CF within the docker after changing the setting).  I still got the same error message:

The PARAM1 parameter to the TestFunc function is required but was not passed in.
The error occurred on line -1.

I tweaked the code to add in an error handler and a link on the test page that is not encrypted.  So I added a total of four links:
* Encrypted Link

* Encrypted Link with Extra Parameter

* Regular Link

* Regular Link with extra Parameter 

What was interesting is that when I did not have the JVM argument in place (related to extra parameter) on the Encrypted link with the extra parameter, it errored about the extra parameter before checking for the required parameter.  (Function TestFunc does not support param2 as an argument in /app/TestCFC.cfc - The error occurred on line -1.)  Obviously this is know because of all the details about Cf 2023 Update 14 and this specific argument.  

Changing the code is not ideal, because I am giving a simple example here, but we do this throughout our entire application, and any remote CFC call that we make would have this same issue.  This is just the fisrt place we ran into it and worked through debugging it.  

Thanks.  

Now that you've concluded for sure that the jvm arg IS there but is NOT helping, it sounds like you're hitting the same problem someone reported about 2 months ago at https://tracker.adobe.com/#/view/CF-4227376. They, too, are using encrypted querystrings--and it may be that this (or the post-processing you guys want to do) is where the problem is happening.

Anyway, add a vote there, at a minimum. And while you can add a "vote comment", that box is tiny. Add a regular comment instead, which is a larger box (easier to read, as well).

And in the meantime perhaps someone else (Adobe or otherwise) may chime in here or there with other thoughts for you.

Thank you for that bug reference.  I did add a comment and a vote on it.  I also added my sample to that in case it will help.  

In replicating on my local machine, I went with Docker, and I was able to get the current version.  With docker is there any easy way to do "ColdFusion 2023-Update 14", instead of just the current version?  I guess other than making my own fresh docker image.  Is there some other repository that might have images stored.  I have not used docker before and was not sure if I was missing something easy.  

If this is too complicated of a question for a quick answer, that is fine, you do not need to explain more.  

I have very good news for you.

First, note that Adobe offers an image for EACH update, for all three of cf2025, 2023, and 2021. They're all at the AdobeColdFusion docker hub page , or Amazon ecr. Choose the specific image for a given version, then see the "tags" on the right, where there is a different tag for each update. For example, you could use adobecoldfusion/coldfusion2025:2025.0.4

There's also a considerable docs page from Adobe on using those images, linked to from there. It's a great way to be introduced to what's configurable with them.

Finally, for even more, note that I have a github repo with dozens of examples on using the Adobe (and Lucee and Commandbox) images in various ways (including choosing versions and LOTS more), at https://github.com/carehart/awesome-cf-compose.

And of course I can help directly with all aspects of using them, if needed. 

The problem I see in your code example is that there is a base64-encoded string in the URL, instead of just 

?method=methodName&param1=param1Value&param2=param2Value

The following version of your code works without any problem:

test.cfm

<cfset tmpURLData="Method=TestFunc&Param1=Test&DataExpiration=#encodeForURL(DateFormat(dateAdd("h", 1, NOW()), "mm/dd/yyyy") & " " & timeFormat(dateAdd("h", 1, NOW()), "HH:mm"))#">
<cfoutput>
 Here is a testing link:  <a href="./TestCFC.cfc?#tmpURLData#">Test Link</a>
</cfoutput>

TestCFC.cfc

<cfcomponent>

    <cffunction name="TestFunc" access="remote" output="yes">
	    <CFArgument name="Param1" required="yes">
	    <CFArgument name="DataExpiration" required="yes">
    
        <CFOutput>Found: #Arguments.Param1#</CFOutput>
    </cffunction>
</cfcomponent>

Result (in my test) of running test.cfm:

Result of clicking on the link:

I appreciate you taking some time running my samples and posting back your results.  For the Test case, are you running CF 2023 with update 15 or 16 installed, it is only happening on those.  Testing without the encrypted data is working around the issue but not the direction that I want to go.  Just to be clear, the sample with the encryption does work correctly on CF 2023 Update 14 and before, so the approach is and has worked for a long time.  (This code has been in place for almost 10 years now originally written under CF 2016).  

The purpose of the code is to add a layer of obfuscation to URL's so that the user does not know the data or even arguments getting passed back to the server.  We still validate the data and do other checks, but it is just one measure to make it more difficult.  More importantly, we include a date/time in the encrypted data that identifies a future date, and when that is past, we invalidate all the data.  This allows us to have a time sensitive link that will not work after we do not want it to work (help reduce the ability to do reply attacks).  Some parts of our code will only accept data that is coming in the encrypted data, so someone can not just make the call with the arguments un-encrypted.  

While this is not something to completely secure our application, but with security is all about having layers, and this is just another layer.  

Up until Update 15 on CF 2023 (and also the recent update on 2025), this process worked fine.  In the application.cfm file, we decrypt the data and put it in the URL scope, and the function calls work fine.  Something actively changed in that update that caused this issue.  Charlie pointed to a ticket that someone else posted about the exact same issue.  

Thank you.  

Thanks for clarifying, @matthewl20646694 . I now understand better what the issue is, and that it has been confirmed to be a bug.. 

That said, I still have some suggestions.

1.  Use Application.cfc in place of Application.cfm. I don't fully understand what is going on in Application.cfm, but I can see that its contents are better suited to Application.cfc, as the CFC is event-driven. The code shows clearly that you want a function to run when a request to a predefined target page starts. With Application.cfc you can precisely time the occurrence of such an event. 
   I shall put the Application.cfm to one side. To enable me to proceed with the testing of test.cfm I shall replace
   

   #request.ParameterEncryptionKey#​

   
   with
   

   #generateSecretKey('AES')#​

   
   
   
2.  I think your test.cfm code example could benefit from some simplication. At the moment, too many different variables are bundled together in a single line.
   
   For example, the variable tmpURLData is compounded so often that, in the end, it's unclear what it stands for. 
   Therefore, it would help to separate the various variables involved. I shall do so in a moment.
   
   
3.  Even though the data in tmpURLData is initially url-encoded, it is subsequently url-encoded, and again, unnecessarily.
   
   
   
4. The purpose of the variable EUData is unclear. A remote CFC call should usually include, as a standard, the variable method=methodName . Whereas your first link does not. There the EUData value is something like
   

   EUData=#encrypted_string_that_has_been_encoded_for_URL#​

   There is no method=TestFunc, which can be a problem. We therefore need to add it.
   
   

5.  Apparently, EUData is central to what you want to do in the Application file. As you are already aware, ColdFusion has become stricter with regard to the remote calling of CFC methods.  If EUData must be in the remote call, then the function must explicitly have
   

   <CFArgument name="EUData" required="yes">​

   And vice versa.

   
   The above suggestions result in the following test code:
   

   <--- TestCFC.cfc --->
   <cfcomponent>
   
       <cffunction name="TestFunc" access="remote" output="yes" returntype="void">
   
   	    <CFArgument name="EUData" required="yes">
   	    <CFArgument name="Param1" required="no">
   	    <CFArgument name="Param2" required="no">
   	    <CFArgument name="DataExpiration" required="no">
   
           <cfdump var="#arguments#" >
       </cffunction>
   </cfcomponent>​

    

   <!--- test.cfm --->
   
   <CFTry>
   
   <CFSet tmpURLData="Method=TestFunc&Param1=Test&DataExpiration=#encodeForURL(DateFormat(dateAdd('h', 1, NOW()), 'mm/dd/yyyy') & ' ' & timeFormat(dateAdd('h', 1, NOW()), 'HH:mm'))#">
   <CFSet randomizedURLData="R=#randrange(100,999)#&#tmpURLData#">
   <CFSet encryptedURLData = encrypt(randomizedURLData,"#generateSecretKey('AES')#",'AES', 'Base64')>
   <CFOutput>
   
       Here is Encrypted link:  <a href="./TestCFC.cfc?method=TestFunc&EUDATA=#encryptedURLData#">Test Link</a><br>
       Here is Encrypted link with Extra Parameter:  <a href="./TestCFC.cfc?#tmpURLData#&Param2=something&EUDATA=#encryptedURLData#">Test Link</a><br>
       Non Encrypted link:  <a href="./TestCFC.cfc?Method=TestFunc&Param1=Test&EUDATA=#encryptedURLData#">Test Link</a><br>
       Non Encrypted link with Extra:  <a href="./TestCFC.cfc?Method=TestFunc&Param1=Test&Param2=something&EUDATA=#encryptedURLData#">Test Link</a><br>
   
   </CFOutput>
   
   
   <br><br>
   <cfloop collection="#StructToSorted(server.system.properties,"text","asc")#" item="key">
       <cfif key.startswith("coldfusion.") and not key is "coldfusion.classpath">
           <cfif listfind("coldfusion.home,coldfusion.jsafe.defaultalgo,coldfusion.libPath,coldfusion.rootDir",key)>*</cfif>
           <cfoutput>#key# = #server.system.properties[key]#</cfoutput><br>
       </cfif>
   </cfloop>
   
   <CFCAtch type="any">
   	<CFdump var="#CFCatch#">
   </CFCAtch>
   </CFTry>

   
     

Thank you for the reply.  I very much appreciate your time and thoughts on this.  

First off, this is just sample code, the actual code is embeded in templates with a lot more going on, so I was actively trying to just extract enough logic so that I could show the issue.  It is not what I would normally want for regular production code.   Most of the issues that you mention are avoiding/working around the actual issue that I ma trying to get at, that ColdFusion does not seem to be looking at the URL scope when looking at the remote function call.  It does for the new "Extra Parameter" issue disuccssed related to Update 14, but this is sort of the opposite problem.  

You mentioned about replacing my request parameter of Key with "#generateSecretKey('AES')#​".  The problem with that is that the page that generats the link would have a differnt key than the page trying to decrypt it.  The code works so that you encrypt the data with a given key, and then that key is used for decryption.  If you call the Generate key on every page call, then they would not match.  

I think that you may be right about too many Encode for URL, but it is working, and as I said, I do not have that in my real code.  

EUData is designed to be an encrypted string that has regular key/value URL pairs of data encrypted with in.  So the link would look like:
TestCFC.cfc?EUData=ui9eTHvdhYo6opbyLfU2rGKmBsa1%2FbYY7diE3BJ607HdztvuoEW6UcHTmH5ehV%2FFEKlO0eisUGYKXHeBfxyx5GXd0vqgq%2BmvICY%2BT3E%2FXdU%3D

But, once it is run through the decryption it would look the same as:
TestCFC.cfc?Method=TestFunc&Param1=Test
The decryption function gets rid of EUData from the URL scope, so that is why it is not needed in the function definition.  By the time that the code reaches the function it only has Method and Param1 left in the URL scope.  

As for using Application.cfm / Application.cfc, I do use both in our application, and it does not really impact things, since all that I am done in this sample is defining a function and then calling it to decrypt the data.  This is done very differnetly in production, but I was just trying to create a simple example here.  

I do have a call with Adobe support to talk thorugh the issue, and will update here if there is any update after that discussion.  As Charlie pointed out, this was identified and reported a few months back after Update 15 but there is no change in Update 16.  

Thank you.  

I talked with Adobe support, and went through it.  They are going to discuss it more internally.  While looking at it, I also changed the code:
<CFArgument name="Param1" required="yes">
to 
<CFArgument name="Param1" required="no" default="">

And this did not throw an error, but it did use the default blank value instead of the value set in the URL scope in application.cfm.  This is a change in behavior since CF 2023 Update 15 and beyond.  

It is almost like they are getting the URL scope before processing application.cfm.  This can cause issues for other people that might not be doing things like me, but maybe you are sanatizing/modifying the data in the URL scope before it reaches the specific function.  For example if you are doing some sort of web application firewall that runs during your application.cfm that does things to modify values passed in the URL.  

It did not sound like this was intentional behavior change, but hopefully we can find out and know if this is on purpose or not and know if things need to change or not.  

Thanks.  

Thanks for the update, @matthewl20646694 .

Let me start by clearing up a misunderstanding. I did not suggest that you replace your request parameter of Key with "#generateSecretKey('AES')#​".  Your code generates the key in Application.cfm. The key is used in test.cfm.

However, the suggestions I was going to give would be on test.cfm and TestCFC.cfc. As I said, I would ignore the Application.cfm. But the key it generates is needed to test the suggestions. Hence the use of the value "#generateSecretKey('AES')#​"., simply as a placeholder.

Nowhere in the suggestions did I think about "avoiding/working around the actual issue". The aim of the suggestions is to improve the code, irrespective of any underlying ColdFusion issues. 

EUData is designed to be an encrypted string that has regular key/value URL pairs of data encrypted with in.  So the link would look like:
TestCFC.cfc?EUData=ui9eTHvdhYo6opbyLfU2rGKmBsa1%2FbYY7diE3BJ607HdztvuoEW6UcHTmH5ehV%2FFEKlO0eisUGYKXHeBfxyx5GXd0vqgq%2BmvICY%2BT3E%2FXdU%3D

By @matthewl20646694

I did understand that. I hope you can see it implies the following: calling a CFC remotely without passing the method. That might be a problem.

I suggested the following correction, which contains the essence of your code:

• In test.cfm

Here is Encrypted link:  <a href="./TestCFC.cfc?method=TestFunc&EUDATA=#encryptedURLData#">Test Link</a>

•  In TestCFC.cfc
  

<CFArgument name="EUData" required="yes">

       

Thank you very much for your thought and time on this.  I really do appreciate it.  

The error message, "Call is missing Param1" is an indication that it knows the specific function I am calling.  I can change the parameter name, and it will change the message to match the parameter name.  So if there was an issue with using this encryption on the method name, then it would not know the name of the parameter that is missing.  

While this simple example, moving the decryption into the function and using EUData as the argument might be an option, but this would have to happen in a lot of template in my application, because just about every link that goes through a user's browser on the application uses this technique.  I also do not use encryption when the server is making a call back to itself, so a change in each function would require a large amount of code changes.  

If I was just starting to try to implement this, then I would agree with a lot of what you have said and handle it very differently.  The big issue is that this technique has been working for me and other people for a long time and only just now broke with a very specific update patch applied from Adobe.  From talking with support, they did not seem to indicate that this was intentional or something they were purposefuly doing, but it is hard to know since I have only dealt with the first level support and they may not know as much.  

As for doing this all with the application.cfm, the purpose of doing it there is that the rest of the code does not have to do anything special or be aware of anything happening at all.  It happens "auto-magically".  While this sample was using Application.cfm, we do have several application within our code, and several of the mdo use application.cfm and the decryption is done on the the request start. My companies main application started back in 2000 and has just evolved over the years.  We have used better techniques in various parts of our application, but some of the core code, there was just no compelling reason to modify.  

I am just hoping not to have to change hundreds of templates because of a change that adobe did not intend to make.  If they come back and this was an intentional change, then yes I will probably use a lot of the changes dicussed on this thread.

Thank you.  

Hi @matthewl20646694 , thanks for the clarification. It confirms that my understanding of the intention of the code has been correct right from the start. However, I think I haven't yet convinced you that there are possible loopholes in the reasoning and in the design of your code. There actually are. They could do with some improvement. 

Before we get to the root-cause of the issue, let me show you that I understand what is going on. What I understand is essentially as follows. The code that is causing the issue involves a CFC, a test CFM and Application.cfm. The test CFM contains a link to a remote call to the CFC:

test.cfm

<!--- 
The query-string consists of the requested CFC method and 4 URL variables and their respective values.
The entire query-string is url-encoded, then encrypted.
The link represents a remote call to the CFC.
In the call, the query-string has been replaced by just one variable, EUData=#UrlEncodedEncryptedQueryString#,
--->
<CFSet queryString = "Method=TestFunc&Param1=Param1Value&Param2=Param2Value&Param3=Param3Value&Param4=Param4Value">
<CFSet encryptedQueryString = encrypt(queryString,"PjzF/tm6q3FB+jtYUsLXqzJMYsdCSBwd3cvtYfyTeuo=",'AES', 'Base64')>
<cfset UrlEncodedEncryptedQueryString = encodeForURL(encryptedQueryString)>
<CFOutput>
    The encrypted link:  <a href="./TestCFC.cfc?EUData=#UrlEncodedEncryptedQueryString#">Test Link</a><br>
</CFOutput>

TestCFC.cfc

<cfcomponent>
    <cffunction name="testfunc" access="remote" returntype="void">
	    <cfargument name="param1" required="yes">
    
    </cffunction>
</cfcomponent>

Application.cfm

<!---
The remote URL request is intercepted here.
The main (single) URL variable, EUData, is decrypted and its constituent parts extracted.

(Note: Though the constituent parts consist of the 5 name-value pairs from the original query-string in the test CFM, they are themselves NOT URL variables. 
The only URL variable ColdFusion knows at this point is URL.EUData.) 

The decrypted string is parsed, from which URL variables are set, among which, 

<cfset url.method = "testFunc">
<cfset url.param1= "Param1Value">
<cfset url.param2= "Param2Value">
<cfset url.param3= "Param3Value">
<cfset url.param4= "Param4Value">
--->

The issue: 

When you run test.cfm and click on the link, you get the error "The PARAM1 parameter to the testFunc function is required but was not passed in.". You're getting the error after Update 14 of ColdFusion 2023. The code worked without any issues on previous updates.

I hope that shows you I understand what the issue is. Then I will say that the cause of the issue is clear. Following Update 14 of ColdFusion 2023, remote CFC calls have become stricter. If the remotely invoked CFC method contains a required argument, then that argument must be present as one of the parameters in the query-string. Otherwise you will get an error.

Now comes what I consider to be the root cause of the error you're getting. In using Application.cfm to intercept the URL request, you're effectively doing a URL-rewrite. As far as ColdFusion is concerned, the only URL variable it knows is EUData. The variable URL.method does NOT yet exist.

The root cause is that, rightly or wrongly, ColdFusion is preprogrammed to validate the remote CFC method the moment url.method is defined. That is, the moment it encounters:

<cfset url.method = "testFunc">

 
That is what happens in your case. Apparently, that line of code confuses ColdFusion into thinking that method=testFunc is part of the query-string coming from the browser. But then it misses the required parameter. Hence the error.

Here's much simpler code to reproduce the behaviour:

test.cfm

<CFSet queryString = "Method=TestFunc&ParamX=ParamXValue">
<CFSet encryptedQueryString = encrypt(queryString,"PjzF/tm6q3FB+jtYUsLXqzJMYsdCSBwd3cvtYfyTeuo=",'AES', 'Base64')>
<cfset UrlEncodedEncryoptedQueryString = encodeForURL(encryptedQueryString)>
<CFOutput>
    The encrypted link:  <a href="./TestCFC.cfc?EUData=#UrlEncodedEncryoptedQueryString#">Test Link</a><br>
</CFOutput>

TestCFC.cfc

<cfcomponent>
    <cffunction name="testfunc" access="remote" returntype="void">
	    <cfargument name="paramX" required="yes">
    
    </cffunction>
</cfcomponent>

Application.cfc

<cfcomponent>
<cfset this.name = "RemoteCFCTestApp">

<cffunction name="onApplicationStart" returntype="boolean">
		
<cfreturn true>
</cffunction>

<cffunction name="onRequestStart" returntype="boolean">
 	<cfargument name = "targetPage" type="String" required="true"> 	

 	<!--- 
 	The next line automatically triggers validation of the remote call testFunc().
    If the function happens to have a required argument, you will get an error.
 	--->
 	<cfset url.method="testFunc">
 	<!---<cfset url.paramX="ParamXValue">--->
 		
 	<cfreturn true>
</cffunction>
 
</cfcomponent>

That such things happened "auto-magically" is a clear sign that you were taking risks. One little change or bug-fix in ColdFusion, and the whole pack of cards may come crashing down. 

As a workaround, here's one of my suggestions once again: include method=testFunc transparently in the link from the browser..That is,

• In test.cfm

Here is Encrypted link:  <a href="./TestCFC.cfc?method=testFunc&EUData=#encryptedURLData#">Test Link</a>

•  In TestCFC.cfc
  

<CFArgument name="EUData" required="yes">

@matthewl20646694 , it might help to share my latest explanation with your contact at Adobe. They should be aware that

<cfset url.method="testFunc">

automatically triggers validation of the remotely called CFC mehod. 

I do not think that is true.  

I have switcxhed over to using application.cfc, to see if that made a difference.  I have in there:

 I  am surprised you start by saying, "I do not think that is true. "  After that, you actually proceed to reproduce the exact situation I had described.

In short, the root-cause is:
In the ColdFusion build where you encounter the issue, the line 

<!--- 
Remotely requested CFC method which has at least one "required" argument 
--->
<cfset url.method="testFunc">

automatically triggers ColdFusion to validate the method for required arguments.

Your conclusion is:

... it gives the same error about " The PARAM1 parameter to the TestFunc function is required but was not passed in.".  So it gets the METHOD name from where I set it in the application.cfc, but it does not get/read the parameters set there. 

By @matthewl20646694

That is the same as my conclusion about the root-cause:
"The root cause is that, rightly or wrongly, ColdFusion is preprogrammed to validate the remote CFC method the moment url.method is defined. That is, the moment it encounters:

<cfset url.method = "testFunc">

 
That is what happens in your case. Apparently, that line of code confuses ColdFusion into thinking that method=testFunc is part of the query-string coming from the browser. But then it misses the required parameter. Hence the error."

As I said, it might help to share my latest explanation with your contact at Adobe. They should be aware that, in the latest ColdFusion 2023 build, the assignment url.method = "myMethod" automatically triggers validation of the method. They could then tell you whether that is an intentional change, or an unintentional side-effect or bug that needs to be fixed..

I have switcxhed over to using application.cfc, to see if that made a difference. 

By @matthewl20646694

To be clear, switching  from Application.cfm to Application.cfc improves the design of your code. However, the switch does not influence the behaviour we have been discussing.

Hi @matthewl20646694 , any news on this? What did Adobe say?

I have not heard anything else on this ticket.  Is that normal from them?  I have not dealt enough with Adobe/ColdFusion support to know if that is expected or I should ping them on it.  

Thanks for asking.  

Well, some good news is that the ticket is indeed marked "to fix". They don't say "when", but it's a step in the right direction.

To your question, there's never a guarantee they'll respond--even if you're the one who opens the ticket, and rarely when you're just a commenter. Time will tell.