-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Open redirect #5
Comments
I'm honestly not sure what this redirect is being used for; I'm leery of getting rid of it till I understand whether it would break anything. |
The client redirects all links to PayPal and Dwolla through the redirect server. Presumably to collect user data? Can’t really see any other reason for it. |
Right. My point is that it's not right to tell publishers to provide a
bitcoin address before the extension can actually pay to it---otherwise
publishers won't get paid. So I'll merge this in once the change to the
extension is deployed.
…On 2/15/2017 10:59 PM, Daniel Aleksandersen wrote:
Open redirects are a security threat and redirect.php is wide open.
Why is it even needed? In any case, it must be closed. Limiting it to
paypal.com can be a stop-gap measure to closing it. However, the
redirect also isn’t used over HTTPS, so the best thing is to just get
rid of it.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#5>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABFpXm8U149vCC3Y4wgF5jWlShWJNDG3ks5rc8m7gaJpZM4MCjuf>.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Open redirects are a security threat and redirect.php is wide open.
Why is it even needed? In any case, it must be closed. Limiting it to paypal.com can be a stop-gap measure to closing it. However, the redirect also isn’t used over HTTPS, so the best thing is to just get rid of it.
The text was updated successfully, but these errors were encountered: