To help prevent some lightweight fraud, this is a suggestion to improve URI handling with bitcoin-qt. Consider URI's with duplicate parameters (ex: "?amount=1&amount=100") to be invalid requests altogether. This would help prevent situations where other software handling a bitcoin: URI would respect the first parameter, but cause client to handle the second parameter. For instance, an invoice being generated with a URI which is then passed to a client to handle later. If there are inconsistencies between apps passing URIs, it will open up vulnerability.
This is generally called "parameter pollution" in the web app world.
https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OWASP-DV-004)
I wouldn't consider this to be a critical bug but would be good housekeeping to prevent them.
To help prevent some lightweight fraud, this is a suggestion to improve URI handling with bitcoin-qt. Consider URI's with duplicate parameters (ex: "?amount=1&amount=100") to be invalid requests altogether. This would help prevent situations where other software handling a bitcoin: URI would respect the first parameter, but cause client to handle the second parameter. For instance, an invoice being generated with a URI which is then passed to a client to handle later. If there are inconsistencies between apps passing URIs, it will open up vulnerability.
This is generally called "parameter pollution" in the web app world.
https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OWASP-DV-004)
I wouldn't consider this to be a critical bug but would be good housekeeping to prevent them.