Hi,
We recently discovered that your OAuth authorization process tacks on a “scope” query parameter to the redirect_uri
we provided during the “Request an Access Token” step. (P.S. This isn’t documented in Authentication Guide). The value of this parameter contains an unencoded pipe (i.e. |
) character, so it’s something like scope=|wn255.infusionsoft.com
. This caused issues for us because an unencoded pipe in a query parameter breaks AWS gateway rules for requests, and is blocked by the latest Tomcat by default as well. In the case of Tomcat, they do provide a config setting that allows pipe characters as a workaround: tomcat.util.http.parser.HttpParser.requestTargetAllow=|
However, as Tomcat’s configuration comment states, enabling that opens the Tomcat instance to be exploitable by CVE-2016-6816.
Can the Infusionsoft API devs make a change so that the query parameters attached to the redirect_uri
are always URL encoded? In this case, the |
character would be turned into %7C
.
I submitted a ticket for this a couple of weeks back (case number 00962716), but I haven’t heard back about it, so I thought I’d try here.