URI Parameter Pollution #4046

issue magoo opened this issue on April 12, 2014
  1. magoo commented at 12:19 AM on April 12, 2014: none

    To help prevent some lightweight fraud, this is a suggestion to improve URI handling with bitcoin-qt. Consider URI's with duplicate parameters (ex: "?amount=1&amount=100") to be invalid requests altogether. This would help prevent situations where other software handling a bitcoin: URI would respect the first parameter, but cause client to handle the second parameter. For instance, an invoice being generated with a URI which is then passed to a client to handle later. If there are inconsistencies between apps passing URIs, it will open up vulnerability.

    This is generally called "parameter pollution" in the web app world. https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OWASP-DV-004)

    I wouldn't consider this to be a critical bug but would be good housekeeping to prevent them.

  2. laanwj commented at 9:16 AM on April 12, 2014: member

    I think this is a worthy goal, but you should aim to have this clarified in the spec first: https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki (From what I remember it says nothing about duplicate parameters!)

    Bitcoin Core is by no means the only, or even the most important, application that implements Bitcoin URIs, so decisions that we make on our own will cause confusion.

  3. laanwj added the label GUI on Apr 12, 2014
  4. laanwj added the label Improvement on Apr 12, 2014
  5. laanwj added the label BIP on Apr 12, 2014
  6. laanwj removed the label BIP on Jan 8, 2015
  7. laanwj closed this on May 18, 2015
  8. MarcoFalke locked this on Sep 8, 2021
Contributors
magoolaanwj
Labels
GUIRefactoring
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-21 18:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me