How to change the amount of fields that can be posted in a form with IIS 7.5?

Question

We've hit a problem with some forms in the admin portion of our web app. There are a handful of forms that contain a large number of fields (it can range anywhere from one input field to the hundreds).

We've found that as these forms grow, there is a point where the server will throw 500 errors when a form is posted.

After running a test, I was able to find that the server can handle forms with 100 fields in them; once 101 or more fields are used, we get the errors.

We run Coldfusion, and we have determined that Coldfusion is not throwing this error. We never see this error logged in Coldfusion, so we are assuming IIS is throwing an error even before it sends the request to the Coldfusion server.

I'm assuming there is some setting in IIS 7.5 where we can up this limit. I've searched on the web, but all I can find is how to raise the byte-size limits of this data, not any kind of limit on a number of fields that are allowed.

So, am I right in assuming that this can be changed, and if so, how can it be done?

Answer 1

This is an issue introduced with hotfix APSB12-06. While it is a ColdFusion error, people have reported receiving the error in Tomcat, before it supposedly hit the CF server

There is a setting in neo-runtime.xml which defines the postsizelimit - and is defaulted to 100.

The full notes are located here, but here is the short version.

This hot fix has a new setting in ColdFusion, Post Parameter Limit. This setting limits the number of parameters in a post request. The default value is 100. If a post request contains more parameters as specified, the server doesn't process the request and throws an exception. This process protects against DoS attack using Hash Collision. This setting is different from Post Size Limit (ColdFusion Administrator > Settings > Maximum size of post data). This setting isn't exposed in the ColdFusion Administrator console. But you can easily change this limit in the neo-runtime.xml file. See point 5 below. Customers who want to change postParameterLimit, go to {ColdFusion-Home}/lib for Server Installation or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE installation. Open file neo-runtime.xml, after line.

<var name='postSizeLimit'><number>100.0</number></var>

Add the line below and you can change 100 with the desired number.

<var name='postParametersLimit'><number>100.0</number></var>

CF10+ has the setting available to edit within the CF Admin Settings page under Maximum number of POST request parameters under Server Settings -> Settings.

On our 9.0.1 server, we just increased the setting up to 10000 and have seen no adverse effects.

Answer 2

I believe you are bumping up against a security feature of ColdFusion. What ColdFusion version are you running? In ColdFusion Security Hotfix APSB12-06 they introduced a fix to protect against DoS attack using Hash Collision. From that page:

This hotfix implements a new setting in ColdFusion, Post Parameter Limit. This limits the number of parameters in a post request. The default value is 100. If a post request contains more parameters as specified, server will not process the request and throws an exception. This is done to protect against DoS attack using Hash Collision. This setting is different from Post Size Limit (ColdFusion Administrator > Settings > Maximum size of post data). We are not exposing this setting in ColdFusion Administrator console, but this limit can be easily changed in neo-runtime.xml file. See point 5 below.

Also on that page are instructions on how to increase that limit. Basically you have to make a change in your neo-runtime.xml file.

Customers who want to change postParameterLimit, go to {ColdFusion-Home}/lib for Server Installation or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE installation. Open file neo-runtime.xml, after line:

<var name='postSizeLimit'><number>100.0</number></var>

add the below line and you can change 100 with desired number.

<var name='postParametersLimit'><number>100.0</number></var>