I’ve come across multiple people lately who have been bitten by this so I thought a quick blog post would be useful for my readers. If you’ve recently upgraded your ColdFusion server or patched it, you may find some forms return an error when submitted. Here is an example:
To cause this error, I simply created a form with 101 fields like so:
If you modify the loop to go to 100 instead of 101, it works fine. People using ColdFusion 10 or a recently patched ColdFusion 9 will encounter this.
The cause is a recent security fix. You can read the details here (Adobe ships patch for ColdFusion flaw that could lead to DoS attacks), but most likely you are only concerned about how to get around this.
In the ColdFusion 10 Administrator, under Settings, way at the bottom, you will find this new setting:
You can tweak this to a value that makes sense for your form. For folks using ColdFusion 8 and 9, you have to edit a bit of XML to handle this. Details may be found here: ColdFusion Security Hotfix APSB12-06.
A few minutes after I posted this blog post I tried a quick experiment. In ColdFusion 10, you can finally now take form fields of the same name and use this as an array. If you add this.sameformfieldsasarray = “true”; to your Application.cfc and post 2 form fields with the same name, their value in the form scope will be an array. I recommend this setting in general as a list (the normal behavior) cannot be reliably decoded. Turns out, if you use the same field name, you can post any number of form fields you want. I tried with 200, no problem. If you also do the sameformfield thingy, the values work just fine.