From 0b7fa9cd99dc18cf5e6c6cfca3fafb19532d124b Mon Sep 17 00:00:00 2001
From: Sander van Grieken <sander@outrightsolutions.nl>
Date: Thu, 4 Jan 2024 12:34:17 +0100
Subject: [PATCH 1/2] bip21: fail bip21 uri if unsupported req-* parameter is
 present. fixes #8781

---
 electrum/bip21.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/electrum/bip21.py b/electrum/bip21.py
index bcf6bd361..6b9cdf2fc 100644
--- a/electrum/bip21.py
+++ b/electrum/bip21.py
@@ -43,6 +43,9 @@ def parse_bip21_URI(uri: str) -> dict:
     for k, v in pq.items():
         if len(v) != 1:
             raise InvalidBitcoinURI(f'Duplicate Key: {repr(k)}')
+        if k.startswith('req-'):
+            # we have no support for any req-* query parameters
+            raise InvalidBitcoinURI(f'Unsupported Key: {repr(k)}')
 
     out = {k: v[0] for k, v in pq.items()}
     if address:

From bd88b6ba298e4a09849efa48c66576424d60bdcd Mon Sep 17 00:00:00 2001
From: SomberNight <somber.night@protonmail.com>
Date: Thu, 4 Jan 2024 16:00:24 +0000
Subject: [PATCH 2/2] tests: add unit test for prev

---
 electrum/tests/test_util.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/electrum/tests/test_util.py b/electrum/tests/test_util.py
index 1767bc8bf..f64af19d3 100644
--- a/electrum/tests/test_util.py
+++ b/electrum/tests/test_util.py
@@ -149,6 +149,13 @@ class TestUtil(ElectrumTestCase):
     def test_parse_URI_parameter_pollution(self):
         self.assertRaises(InvalidBitcoinURI, parse_bip21_URI, 'bitcoin:15mKKb2eos1hWa6tisdPwwDC1a5J1y9nma?amount=0.0003&label=test&amount=30.0')
 
+    @as_testnet
+    def test_parse_URI_unsupported_req_key(self):
+        self._do_test_parse_URI('bitcoin:TB1QXJ6KVTE6URY2MX695METFTFT7LR5HYK4M3VT5F?amount=0.00100000&label=test&somethingyoudontunderstand=50',
+                                {'address': 'TB1QXJ6KVTE6URY2MX695METFTFT7LR5HYK4M3VT5F', 'amount': 100000, 'label': 'test', 'somethingyoudontunderstand': '50'})
+        # now test same URI but with "req-test=1" added
+        self.assertRaises(InvalidBitcoinURI, parse_bip21_URI, 'bitcoin:TB1QXJ6KVTE6URY2MX695METFTFT7LR5HYK4M3VT5F?amount=0.00100000&label=test&req-test=1&somethingyoudontunderstand=50')
+
     @as_testnet
     def test_parse_URI_lightning_consistency(self):
         # bip21 uri that *only* includes a "lightning" key. LN part does not have fallback address