Is the "Maximum number of POST request parameters" limit trappable?

Question

Coldfusion 10 allows a limit to be set for the maximum number of POST request parameters (Server Settings / Settings / Request Size Limits / Maximum number of POST request parameters). The default limit is 100.

Is it possible to trap when this limit has been exceeded so that it can be handled with a custom handler? If yes, how?

I've tried to trap it with a site wide error handler and an onError() method in Application.cfc. Neither attempt was successful.

Thanks for looking.

Answer 1

I can confirm the behavior you are seeing. I think the exception is being thrown by the CF servlet, before Application.cfc is invoked, which would explain why onError never fires.

So far, the only option that worked for me is adding a custom error page in WEB-INF\web.xml, using an HTTP status code:

<error-page>
    <error-code>400</error-code>
    <location>/path/to/myErrorPage.cfm</location>
</error-page>

Note: From the comments, @Adrian mentioned that he added the above to \cfusion\runtime\conf\web.xml, rather than the one in web-inf\.

Update 1:

Further reading suggests you can also configure things at a more granular level. To handle a specific kind of exception, use <exception-type> instead of <error-code>. For example:

<error-page>
    <exception-type>java.lang.Exception</exception-type>
    <location>/path/to/myErrorPage.cfm</location>
</error-page>

That said, in my (brief) test, CF10 appeared to use very general exception classes for this error. Both of which have many potential causes, not just posting too many form fields. So keep that in mind. Granted it is a bit more focused than handling all HTTP 500 errors, but it may still encompass other causes as well.

javax.servlet.ServletException: ROOT CAUSE: 
    java.lang.IllegalStateException: Cannot call sendError() ..

Update 2:

Turns out the javax.servlet.ServletException was just a red herring. As @AdrianWright pointed out in the comments, that error is related to Debugging Settings. When CF generates the "Maximum number of POST request parameters" message, it does not properly account for debugging, which in turn causes a new exception: java.lang.IllegalStateException. Hence the HTTP 500 error:

When debugging is disabled (as it would be on a production system) CF simply writes an error message directly to the response stream and returns HTTP status code 400. Since no exception is thrown, <exception-type> is useless here. So you are stuck with using status code:

<error-page>
    <error-code>400</error-code>
    <location>/path/to/myErrorPage.cfm</location>
</error-page>

However, on the custom error page, you can extract the error message from the request stream. Then handle it accordingly:

  <cfset req = getPageContext().getRequest()>
  <cfset message = req.getAttribute("javax.servlet.error.message")>

  <cfif message contains "POST parameters exceeds">
     Too many form fields. do something...
  <cfelse>
     Some other cause. do something else
  </cfif>