Closed KatharinaSt closed 5 years ago
Okay, it's not an issue at all.
As I understand it the request that is pretended to be from PayPal is sent back via this mechanism so that PayPal can verify or reject the authenticity of the message. If an attacker has actually sent a malicious request (also with evil characters) PayPal will negate the request and no verification will take place.
General information
Issue description
In the PHP sample the POST input is read via
file_get_contents('php://input')
and then parsed to a new query string. The value parts are correctly sanitized viaurlencode()
the keys however are not.I am not sure if this can actually lead to serious security issues in this context but at least special characters can be included as query keys that do not conform to the RFC (if they have been sent without urlencoding before).