paypal and appengine
251 views
Skip to first unread message
pdp
Jun 9, 2008, 10:26:50 AM6/9/08
to Google App Engine
it seems to me that Google deliberately blocks requests to paypal. nc,
nc, nc... kind of in contradiction to the open web thing you guys are
preaching. I hope that this is just a bug though but I cannot see why
it should be... any other request of a similar nature works fine, even
with a similar syntax.. even requests with similar domain but not
directly pointing to paypal.com work fine.
what's going on?
nc, nc... kind of in contradiction to the open web thing you guys are
preaching. I hope that this is just a bug though but I cannot see why
it should be... any other request of a similar nature works fine, even
with a similar syntax.. even requests with similar domain but not
directly pointing to paypal.com work fine.
what's going on?
pdp
Jun 9, 2008, 10:43:24 AM6/9/08
to Google App Engine
dear developers,
as always, if something doesn't work you can hack it. apparently
Google blocks URLs to paypal but with a bit of creativity we can
bypass this restriction. I hope that we don't have to do this in the
future. the only reason I am sharing this information is to provoke
Google's decision to block PayPal URLs. I know that by reading this
they may try to prevent this method as well but ... well, I am taking
the risk.
so, requests to:
https://www.paypal.com/cgi-bin/webscr
https://www.sandbox.paypal.com/cgi-bin/webscr
are blocked. as usual these checks are not very complete. in order to
bypass them we need to change the paypal URLs to something different.
For example, we can use tinyurl for that matter:
http://tinyurl.com/3ro7da
which is actually
https://www.sandbox.paypal.com/cgi-bin/webscr
if we send the post verification to that URL we bypass the restriction
which lead to VERIFIED or INVALID or whatever else PayPal may return.
Now, I won't trust tinyurl for these kind of stuff but all you need to
do is to write a simple redirection utility. Just create a new GET and
POST request handler for IPN redirections and point your scripts to
that instead of the real paypal URLs. When the request arrive you
translate them to the paypal ones via a 302 open redirect.
solved!
regards,
pdp
gnucitizen.org | gnucitizen.com | gnucitizen.net | hakiri.org |
spinhunters.org
as always, if something doesn't work you can hack it. apparently
Google blocks URLs to paypal but with a bit of creativity we can
bypass this restriction. I hope that we don't have to do this in the
future. the only reason I am sharing this information is to provoke
Google's decision to block PayPal URLs. I know that by reading this
they may try to prevent this method as well but ... well, I am taking
the risk.
so, requests to:
https://www.paypal.com/cgi-bin/webscr
https://www.sandbox.paypal.com/cgi-bin/webscr
are blocked. as usual these checks are not very complete. in order to
bypass them we need to change the paypal URLs to something different.
For example, we can use tinyurl for that matter:
http://tinyurl.com/3ro7da
which is actually
https://www.sandbox.paypal.com/cgi-bin/webscr
if we send the post verification to that URL we bypass the restriction
which lead to VERIFIED or INVALID or whatever else PayPal may return.
Now, I won't trust tinyurl for these kind of stuff but all you need to
do is to write a simple redirection utility. Just create a new GET and
POST request handler for IPN redirections and point your scripts to
that instead of the real paypal URLs. When the request arrive you
translate them to the paypal ones via a 302 open redirect.
solved!
regards,
pdp
gnucitizen.org | gnucitizen.com | gnucitizen.net | hakiri.org |
spinhunters.org
peterk
Jun 9, 2008, 11:04:26 AM6/9/08
to Google App Engine
Thanks for this. There's a good chance I'll need to use paypal in my
app, so I'll know where to come if I run into trouble. But hopefully,
as you say, Google will fix this. Google is indeed supposed to be
support and champion an open internet..
On Jun 9, 3:43 pm, pdp <pdp.gnuciti...@googlemail.com> wrote:
> dear developers,
>
> as always, if something doesn't work you can hack it. apparently
> Google blocks URLs to paypal but with a bit of creativity we can
> bypass this restriction. I hope that we don't have to do this in the
> future. the only reason I am sharing this information is to provoke
> Google's decision to block PayPal URLs. I know that by reading this
> they may try to prevent this method as well but ... well, I am taking
> the risk.
>
> so, requests to:
>
> https://www.paypal.com/cgi-bin/webscrhttps://www.sandbox.paypal.com/cgi-bin/webscr
app, so I'll know where to come if I run into trouble. But hopefully,
as you say, Google will fix this. Google is indeed supposed to be
support and champion an open internet..
On Jun 9, 3:43 pm, pdp <pdp.gnuciti...@googlemail.com> wrote:
> dear developers,
>
> as always, if something doesn't work you can hack it. apparently
> Google blocks URLs to paypal but with a bit of creativity we can
> bypass this restriction. I hope that we don't have to do this in the
> future. the only reason I am sharing this information is to provoke
> Google's decision to block PayPal URLs. I know that by reading this
> they may try to prevent this method as well but ... well, I am taking
> the risk.
>
> so, requests to:
>
Aral Balkan
Jun 10, 2008, 6:23:16 AM6/10/08
to Google App Engine
Wow, so they're actually blocking the PayPal URLs? That doesn't sound
like a "do no evil" policy to me. In fact, it is exactly the sort of
thing that people fear most about Google App Engine (that Google will
use their position of power to dictate what your applications can and
cannot access.)
If Google is deliberately blocking PayPal's URLs (which, it seems,
they are), someone from Google should _at least_ acknowledge this and
provide Google's reasons for doing so.
Staying silent on this does not make Google or Google App Engine look
good and, personally, scares me.
Thanks,
Aral
On Jun 9, 4:04 pm, peterk <peter.ke...@gmail.com> wrote:
> Thanks for this. There's a good chance I'll need to use paypal in my
> app, so I'll know where to come if I run into trouble. But hopefully,
> as you say, Google will fix this. Google is indeed supposed to be
> support and champion an open internet..
>
> On Jun 9, 3:43 pm, pdp <pdp.gnuciti...@googlemail.com> wrote:
>
> > dear developers,
>
> > as always, if something doesn't work you can hack it. apparently
> > Google blocks URLs to paypal but with a bit of creativity we can
> > bypass this restriction. I hope that we don't have to do this in the
> > future. the only reason I am sharing this information is to provoke
> > Google's decision to block PayPal URLs. I know that by reading this
> > they may try to prevent this method as well but ... well, I am taking
> > the risk.
>
> > so, requests to:
>
> >https://www.paypal.com/cgi-bin/webscrhttps://www.sandbox.paypal.com/c...
like a "do no evil" policy to me. In fact, it is exactly the sort of
thing that people fear most about Google App Engine (that Google will
use their position of power to dictate what your applications can and
cannot access.)
If Google is deliberately blocking PayPal's URLs (which, it seems,
they are), someone from Google should _at least_ acknowledge this and
provide Google's reasons for doing so.
Staying silent on this does not make Google or Google App Engine look
good and, personally, scares me.
Thanks,
Aral
On Jun 9, 4:04 pm, peterk <peter.ke...@gmail.com> wrote:
> Thanks for this. There's a good chance I'll need to use paypal in my
> app, so I'll know where to come if I run into trouble. But hopefully,
> as you say, Google will fix this. Google is indeed supposed to be
> support and champion an open internet..
>
> On Jun 9, 3:43 pm, pdp <pdp.gnuciti...@googlemail.com> wrote:
>
> > dear developers,
>
> > as always, if something doesn't work you can hack it. apparently
> > Google blocks URLs to paypal but with a bit of creativity we can
> > bypass this restriction. I hope that we don't have to do this in the
> > future. the only reason I am sharing this information is to provoke
> > Google's decision to block PayPal URLs. I know that by reading this
> > they may try to prevent this method as well but ... well, I am taking
> > the risk.
>
> > so, requests to:
>
Aral Balkan
Jun 10, 2008, 6:46:18 AM6/10/08
to Google App Engine
I just blogged about this here:
http://aralbalkan.com/1356
Let's hope we get an answer from the good folks at Google.
Aral
On Jun 10, 11:23 am, Aral Balkan <aralbal...@gmail.com> wrote:
> Wow, so they're actually blocking the PayPal URLs? That doesn't sound
> like a "do no evil" policy to me. In fact, it is exactly the sort of
> thing that people fear most about Google App Engine (that Google will
> use their position of power to dictate what your applications can and
> cannot access.)
<snip>
http://aralbalkan.com/1356
Let's hope we get an answer from the good folks at Google.
Aral
On Jun 10, 11:23 am, Aral Balkan <aralbal...@gmail.com> wrote:
> Wow, so they're actually blocking the PayPal URLs? That doesn't sound
> like a "do no evil" policy to me. In fact, it is exactly the sort of
> thing that people fear most about Google App Engine (that Google will
> use their position of power to dictate what your applications can and
> cannot access.)
wave connexion(BQ)
Jun 10, 2008, 8:00:52 AM6/10/08
to google-a...@googlegroups.com
sounds unreasonable...--
BQ
BQ
glenc
Jun 10, 2008, 9:22:06 AM6/10/08
to Google App Engine
This is something that I had planned to integrate into my app too, so
knowing that Google is against it is a little worrying. I'm hoping
this is a temporary restriction due to the beta-ness of AppEngine at
the moment and not a formal policy moving forward. Ducking and diving
through redirects and so on is not the kind of confidence-inspiring
stuff you want to be looking at when building payment-processing
stuff.
On Jun 10, 8:00 am, "wave connexion(BQ)" <waveconnex...@gmail.com>
wrote:
knowing that Google is against it is a little worrying. I'm hoping
this is a temporary restriction due to the beta-ness of AppEngine at
the moment and not a formal policy moving forward. Ducking and diving
through redirects and so on is not the kind of confidence-inspiring
stuff you want to be looking at when building payment-processing
stuff.
On Jun 10, 8:00 am, "wave connexion(BQ)" <waveconnex...@gmail.com>
wrote:
pdp
Jun 10, 2008, 10:02:31 AM6/10/08
to Google App Engine
unfortunately Google are on it again... now it returns
raise DownloadError()
I guess they are blocking paypal at their gateway....
hmmmm... so much for sharing :(
On Jun 10, 2:22 pm, glenc <glen.coa...@gmail.com> wrote:
> This is something that I had planned to integrate into my app too, so
> knowing that Google is against it is a little worrying. I'm hoping
> this is a temporary restriction due to the beta-ness of AppEngine at
> the moment and not a formal policy moving forward. Ducking and diving
> through redirects and so on is not the kind of confidence-inspiring
> stuff you want to be looking at when building payment-processing
> stuff.
>
> On Jun 10, 8:00 am, "wave connexion(BQ)" <waveconnex...@gmail.com>
> wrote:
>
> > sounds unreasonable...
>
> > On Tue, Jun 10, 2008 at 6:46 PM, Aral Balkan <aralbal...@gmail.com> wrote:
>
> > > I just blogged about this here:
> > >http://aralbalkan.com/1356
>
> > > Let's hope we get an answer from the good folks at Google.
>
> > > Aral
>
> > > On Jun 10, 11:23 am, Aral Balkan <aralbal...@gmail.com> wrote:
> > > > Wow, so they're actually blocking thePayPalURLs? That doesn't sound
raise DownloadError()
I guess they are blocking paypal at their gateway....
hmmmm... so much for sharing :(
On Jun 10, 2:22 pm, glenc <glen.coa...@gmail.com> wrote:
> This is something that I had planned to integrate into my app too, so
> knowing that Google is against it is a little worrying. I'm hoping
> this is a temporary restriction due to the beta-ness of AppEngine at
> the moment and not a formal policy moving forward. Ducking and diving
> through redirects and so on is not the kind of confidence-inspiring
> stuff you want to be looking at when building payment-processing
> stuff.
>
> On Jun 10, 8:00 am, "wave connexion(BQ)" <waveconnex...@gmail.com>
> wrote:
>
> > sounds unreasonable...
>
> > On Tue, Jun 10, 2008 at 6:46 PM, Aral Balkan <aralbal...@gmail.com> wrote:
>
> > > I just blogged about this here:
> > >http://aralbalkan.com/1356
>
> > > Let's hope we get an answer from the good folks at Google.
>
> > > Aral
>
> > > On Jun 10, 11:23 am, Aral Balkan <aralbal...@gmail.com> wrote:
peterk
Jun 10, 2008, 10:06:20 AM6/10/08
to Google App Engine
You mean it doesn't work even with a redirect now?
Marce
Jun 10, 2008, 2:11:01 PM6/10/08
to Google App Engine
Hi,
Thanks for the report! This is a bug, and we have located the problem.
There was an error in our anti-phishing protections that was blocking
some specific URL domains from being fetched using the URLFetch
service. This was an oversight on our part, and these specific domain
restrictions will be removed in the next few days.
Thanks,
Marzia
On Jun 10, 7:06 am, peterk <peter.ke...@gmail.com> wrote:
> You mean it doesn't work even with a redirect now?
>
> On Jun 10, 3:02 pm, pdp <pdp.gnuciti...@googlemail.com> wrote:
>
> > unfortunately Google are on it again... now it returns
>
> > raise DownloadError()
>
> > I guess they are blockingpaypalat their gateway....
Thanks for the report! This is a bug, and we have located the problem.
There was an error in our anti-phishing protections that was blocking
some specific URL domains from being fetched using the URLFetch
service. This was an oversight on our part, and these specific domain
restrictions will be removed in the next few days.
Thanks,
Marzia
On Jun 10, 7:06 am, peterk <peter.ke...@gmail.com> wrote:
> You mean it doesn't work even with a redirect now?
>
> On Jun 10, 3:02 pm, pdp <pdp.gnuciti...@googlemail.com> wrote:
>
> > unfortunately Google are on it again... now it returns
>
> > raise DownloadError()
>
peterk
Jun 10, 2008, 2:59:45 PM6/10/08
to Google App Engine
Good to hear, thanks for listening :)
Marzia Niccolai
Jun 10, 2008, 6:13:06 PM6/10/08
to google-a...@googlegroups.com
Hi,
This issue has now been fixed. These URLs are now accessible with Google App Engine.
-Marzia
This issue has now been fixed. These URLs are now accessible with Google App Engine.
-Marzia
wave connexion(BQ)
Jun 11, 2008, 1:45:06 AM6/11/08
to google-a...@googlegroups.com
good--
BQ
BQ
Aral Balkan
Jun 11, 2008, 3:50:00 AM6/11/08
to Google App Engine
Thanks for responding and fixing this so quickly, Marzia! :)
I've updated my blog post with your comment, btw.
Aral
On Jun 11, 6:45 am, "wave connexion(BQ)" <waveconnex...@gmail.com>
wrote:
> good
<snip>
I've updated my blog post with your comment, btw.
Aral
On Jun 11, 6:45 am, "wave connexion(BQ)" <waveconnex...@gmail.com>
wrote:
> good
<snip>
Aral Balkan
Jun 11, 2008, 3:53:47 AM6/11/08
to Google App Engine
I've also updated the other two threads here with your comment and a
quick note to tell them that the issue has been fixed.
Thanks again,
Aral
On Jun 11, 8:50 am, Aral Balkan <aralbal...@gmail.com> wrote:
> Thanks for responding and fixing this so quickly, Marzia! :)
>
> I've updated my blog post with your comment, btw.
>
> Aral
<snip>
quick note to tell them that the issue has been fixed.
Thanks again,
Aral
On Jun 11, 8:50 am, Aral Balkan <aralbal...@gmail.com> wrote:
> Thanks for responding and fixing this so quickly, Marzia! :)
>
> I've updated my blog post with your comment, btw.
>
> Aral
Reply all
Reply to author
Forward
0 new messages