User provided values trusted in sensitive actions

In the Coinbase zencart open source library, a researcher observed two issues related to making calls based on user provided values. The reporter observed that these issues could allow a malicious user to perform an open redirect and a CRLF injection in any PHP version <=5.4.1. Unfortunately, Coinbase OSS libraries are out of scope of our bug bounty program, and researchers should directly submit an issue or pull request on the repository.