Security: Open redirect

[da2x]

Open redirects are a security threat and redirect.php is wide open.

Why is it even needed? In any case, it must be closed. Limiting it to paypal.com can be a stop-gap measure to closing it. However, the redirect also isn’t used over HTTPS, so the best thing is to just get rid of it.

[karger]

I'm honestly not sure what this redirect is being used for; I'm leery of getting rid of it till I understand whether it would break anything.

[da2x]

The client redirects all links to PayPal and Dwolla through the redirect server. Presumably to collect user data? Can’t really see any other reason for it.

[karger]

Right. My point is that it's not right to tell publishers to provide a bitcoin address before the extension can actually pay to it---otherwise publishers won't get paid. So I'll merge this in once the change to the extension is deployed.

…

On 2/15/2017 10:59 PM, Daniel Aleksandersen wrote: Open redirects are a security threat and redirect.php is wide open. Why is it even needed? In any case, it must be closed. Limiting it to paypal.com can be a stop-gap measure to closing it. However, the redirect also isn’t used over HTTPS, so the best thing is to just get rid of it. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#5>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABFpXm8U149vCC3Y4wgF5jWlShWJNDG3ks5rc8m7gaJpZM4MCjuf>.