OAuth authentication process sending exploitable pipe (|) characters unencoded


We recently discovered that your OAuth authorization process tacks on a “scope” query parameter to the redirect_uri we provided during the “Request an Access Token” step. (P.S. This isn’t documented in Authentication Guide). The value of this parameter contains an unencoded pipe (i.e. |) character, so it’s something like scope=|wn255.infusionsoft.com. This caused issues for us because an unencoded pipe in a query parameter breaks AWS gateway rules for requests, and is blocked by the latest Tomcat by default as well. In the case of Tomcat, they do provide a config setting that allows pipe characters as a workaround: tomcat.util.http.parser.HttpParser.requestTargetAllow=|

However, as Tomcat’s configuration comment states, enabling that opens the Tomcat instance to be exploitable by CVE-2016-6816.

Can the Infusionsoft API devs make a change so that the query parameters attached to the redirect_uri are always URL encoded? In this case, the | character would be turned into %7C.

I submitted a ticket for this a couple of weeks back (case number 00962716), but I haven’t heard back about it, so I thought I’d try here.

Thanks for the report. I created an issue for this and put it on our backlog. I will try and get to it quickly.

Thank you! Will you post in this thread once that’s done?

The reason I ask is that we’ll need some notification that this has been implemented so we can secure our Tomcat again by removing the workaround.

Yep no problem