PHP sample: missing urlencode() for keys in query string

[KatharinaSt]

General information

• Environment: sandbox/production
• PHP sample

Issue description

In the PHP sample the POST input is read via file_get_contents('php://input') and then parsed to a new query string. The value parts are correctly sanitized via urlencode() the keys however are not.

        foreach ($myPost as $key => $value) {
            if ($get_magic_quotes_exists == true && get_magic_quotes_gpc() == 1) {
                $value = urlencode(stripslashes($value));
            } else {
                $value = urlencode($value);
            }
            $req .= "&$key=$value";
        }

I am not sure if this can actually lead to serious security issues in this context but at least special characters can be included as query keys that do not conform to the RFC (if they have been sent without urlencoding before).

[KatharinaSt]

Okay, it's not an issue at all.

As I understand it the request that is pretended to be from PayPal is sent back via this mechanism so that PayPal can verify or reject the authenticity of the message. If an attacker has actually sent a malicious request (also with evil characters) PayPal will negate the request and no verification will take place.