You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Maybe I'm missing something, but it looks to me like the signature param is never verified during OrdersController#postfill. That means that anyone could construct a URL for that action.
Granted, it doesn't seem too worrisome given what that controller does, but someone could, for instance, potentially snag an authorized token, change the shipping address, and then pass along the altered values to the Selfstarter app.
The text was updated successfully, but these errors were encountered:
Maybe I'm missing something, but it looks to me like the signature param is never verified during
OrdersController#postfill. That means that anyone could construct a URL for that action.Granted, it doesn't seem too worrisome given what that controller does, but someone could, for instance, potentially snag an authorized token, change the shipping address, and then pass along the altered values to the Selfstarter app.
The text was updated successfully, but these errors were encountered: