Patrick Toomey

We will chat about it on our team call today.

I opened a radar about this a while back. And, it sounds like it is a bug that is supposedly fixed in the public beta of the next OS release:...

@github/appsec - Any edge cases you think I should add tests for?

FYI @scottjg

@technoweenie - I had to temporarily comment out some of the code in here that calls `symbolize_keys` while testing, since the default rake task doesn't suck in any rails stuff...

> (If you use other headers to carry credentials you are out of luck.) I'm sure there is a good reason for this, so apologies if this has been discussed...

Even in the non-malicious case...it isn’t that rare (at all) for an application to intentionally redirect to a third party site that isn’t fully trusted. This behavior seems as scary...

If anyone wants to open up a PR to script/automate the building using the best supported SDK that would be awesome.

This should be fixed as of https://github.com/vmg/houdini/pull/16.

I'd tend to vote the URL not be decoded. It seems like the intent of spec is to perform a signature of the content of the request (as it exists...