ColdFusion (2021 release) Update 20 recently broke multiple autosuggest fields across my organization’s web applications. ColdFusion (2023 release) Update 14 causes the same issue.
Many of our organization’s autosuggest fields utilize Ajax Autocomplete for jQuery. This jQuery plugin retrieves data from a ColdFusion cfc to populate a field as a user enters data.
The frustrating thing for the end user is that the autosuggest fields simply stopped working so there was no error for them to report.
The first step used to troubleshoot the issue was to head over to our Dev environment and fire up Chrome’s Developer Tools and try to use an autosuggest field. The result was a Failed to load resource error in the Console tab.
The next step was to move to the Network tab, locate the url of the call to the cfc, right click and choose “Open in new tab”. The following error was the result.
I saw a nearly identical error message post Update 20 where there was a mismatch in the number of arguments passed to a method in an older cfc in one of our web applications. In that instance, instead of _ the argument being passed was the actual name of a field which was no longer an argument in the method of the cfc so I knew there was an argument mismatch, but what the heck was this _ argument?
The _ argument is appended to the URL by jQuery if you use $.ajaxSetup({ cache: false });. It is a jQuery global configuration that disables caching for all subsequent AJAX GET requests made via jQuery by appending a unique query parameter (like _={timestamp}) to each request URL.
https://demos.local/cfcs/room.cfc?method=getRoomAutoComplete&query=Lab&_=1753998286050
There are 2 ways to fix this issue in ColdFusion or 2 ways to fix it via JavaScript.
ColdFusion Solution 1 – Fix the argument mismatch
Update the method used by autosuggest, in our case getRoomAutoComplete(), to include an argument named _:
remote any function getRoomAutoComplete(required string query, string _) returnformat="plain" {
...
}
ColdFusion Solution 2 A- Override the new feature (ColdFusion Administrator)
In the ColdFusion Administrator search for “Java & JVM” (or in jvm.config) add:
-Dcoldfusion.runtime.remotemethod.matchArguments=false and restart CF services.
ColdFusion Solution 2 B – Override the new feature (CommandBox)
If you’re using CommandBox add the following to your server.json file:
"jvm":{
"args":[
"-Dcoldfusion.runtime.remotemethod.matchArguments=false"
]
}
JavaScript Solution 1 – Avoid disabling caching globally in JavaScript
Avoid using the following to disable caching globally in your JavaScript:
$.ajaxSetup({ cache: false });
JavaScript Solution 2 – Override caching globally in JavaScript
If you must disable caching globally in your JavaScript, you can override it for Autocomplete using the following:
ajaxSettings: {
cache: true
}
This appears to be by design and is an attempt to by Adobe to secure the CFC exploits when it is being accessed via a “public” method.
We’ve been using Taffy for our APIs and, as a result, no CFCs are directly accessible. As a further security precaution, we’ve added both WAF and web server-based rules to block requests to files with “.cfc” in the path. (This “workaround” may not an issue if your CF app is running on a fully-patched installation of ColdFusion, but I often don’t have any choice when it comes to the CF version or patch status… so I do what I can to minimize possible exploits.)
Thanks for this comment! I’m going to look into the WAF and web server-based rules. Do you use Cloudflare for the WAF rules?