7 Replies Latest reply: May 23, 2013 7:48 AM by Kash3000 RSS

    Form error after security hotfix apsb12-15

    sduncanute Community Member

      I tried posting this in the general CF area two weeks ago with no reply, so I thought I'd try here.

       

      I applied the hotfix last week and everything seemed to be working, thought all was well.

       

      It turns out that forms that used to work without a hitch suddenly generated error 500 with no clue as to the real issue.

       

      These forms are simple fill it in, create a pdf file, display the file.  Nothing too creative.  With no error message, and nothing to tell me what is going on with this, I was forced to unload hf901-00005.jar and go back to hf901-00003.jar

       

      It is all working again, but I'd really like to have the security patch AND have my forms work.

       

      Any clues??

        • 1. Re: Form error after security hotfix apsb12-15
          itisdesign CommunityMVP

          sduncanute wrote:


          forms that used to work without a hitch suddenly generated error 500 with no clue as to the real issue.

           

          These forms are simple fill it in, create a pdf file, display the file.  Nothing too creative.  With no error message, and nothing to tell me what is going on with this, I was forced to unload hf901-00005.jar and go back to hf901-00003.jar

           

          It is all working again, but I'd really like to have the security patch AND have my forms work.

           

          Hi sduncanute,

           

          Yes (I experienced the same exact issue when populating PDF forms after upgrading to CF10), and there are actually 2 issues here (but the issues are not PDF-related).  In short, there is a solution.  I'll explain:

           

          First issue: Tomcat errors are not written to start.log or exception.log.  This is why you aren't seeing any logged error.  This is Bug #3126106 and is marked Fixed in CF10 (I haven't verified this, but need to.  This here is a note-to-self. =P).  However, I'm unsure if this is fixed in CF 9.0.2.

           

          Second issue: As apsb12-15 states:

           

          -----------

          1. This hot fix has a new setting in ColdFusion, Post Parameter Limit. This setting limits the number of parameters in a post request. The default value is 100. If a post request contains more parameters as specified, the server doesn't process the request and throws an exception. This process protects against DoS attack using Hash Collision. This setting is different from Post Size Limit (ColdFusion Administrator > Settings > Maximum size of post data). This setting isn't exposed in the ColdFusion Administrator console. But you can easily change this limit in the neo-runtime.xml file. See point 5 below.
          2. Customers who want to change postParameterLimit, go to {ColdFusion-Home}/lib for Server Installation or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE installation. Open file neo-runtime.xml, after line

           

          "<var name='postSizeLimit'><number>100.0</number></var>"

           

          Add the line below and you can change 100 with the desired number.

           

          "<var name='postParametersLimit'><number>100.0</number></var>"

          -----------

           

          Basically, the Tomcat error (which you're not seeing) is being thrown b/c the form is attempting to post more than 100 fields.  So, just do as it says above: Add that bolded line and replace 100.0 w/ a number high enough to cover the number of fields in your form.

           

          I'll note that CF10 permits this setting to be adjusted via the CF Admin's Settings page via the "Maximum number of POST request parameters" setting.

           

          Thanks,

          -Aaron

          • 2. Re: Form error after security hotfix apsb12-15
            sduncanute Community Member

            This sounds like the answer I needed.  I'll have to wait until the next server update window, but I'll give this a go.  I don't think they've fixed the Tomcat error in 9.0.2 

             

            Thanks!

             

            Sue

            • 3. Re: Form error after security hotfix apsb12-15
              itisdesign CommunityMVP

              sduncanute wrote:

               

              This sounds like the answer I needed.  I'll have to wait until the next server update window, but I'll give this a go.  I don't think they've fixed the Tomcat error in 9.0.2 

              Hi Sue,

               

              You're welcome and please do let us know later if that setting resolves the issue.

               

              Thanks!,

              -Aaron

              • 4. Re: Form error after security hotfix apsb12-15
                sduncanute Community Member

                Just a quick update, I know it's been ages, but just in case someone else was following the thread, it worked.

                 

                Sue

                • 5. Re: Form error after security hotfix apsb12-15
                  itisdesign CommunityMVP

                  Hi Sue,

                   

                  Glad it worked, and thank you very much for confirming!

                   

                  Thanks,

                  -Aaron

                  • 6. Re: Form error after security hotfix apsb12-15
                    K Johnstone Community Member

                    ColdFusion Security Hotfix APSB13-03 on ColdFusion 9

                    http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html

                     

                    FYI, this hotfix seems to have the same problem & fix (altering new-runtime.xml as above - thank you Aaron!)

                     

                    Notes:

                    After applying the hotfix, users were getting intermittent "The service is unavailable" and "503: Service unavailable" errors.

                    Error also happened on pages with few or no Form Fields & at various times throughout the day. Unable to find anything in various logs.

                    Eventually found we could at least replicate the error with a POST request  with >100 fields (A).

                    Then noticed that a subsequent page request (within a short timeframe) returned an error, but reloading page B worked.
                    So I guess requests like A were also causing the problems for other page requests at around the same time?!

                     

                    kj

                    • 7. Re: Form error after security hotfix apsb12-15
                      Kash3000 Community Member

                      kj,

                       

                      Thanks for posting up the comment about intermittent server issues. I just applied the hotfix for APSB13-13 (http://www.adobe.com/support/security/bulletins/apsb13-13.html) and was running into the same issues. Modifying the neo-runtime.xml, as per Aaron's post, did the trick.

                       

                      -kash