Extra parameters exist where a field which should be specified only once is specified multiple times, or unexpected arguments are given, or where redundant arguments with different values are given in different places. Applications and protocols must define behavior appropriate to the nature of the parameter wherever such scenarios are possible. The below request will redirect to /nuxeo?id=1. While this is not an exploitable vulnerability, a bug such as this could be leveraged to extend the previous RCE vulnerability via a very convincing phishing attack.
Where parameter can be multiply specified, define an order of precedence whereby the most trusted value is used; for example, between a cookie and a query string parameter, trust the cookie. Avoid creating scenarios where redundant input from unexpected sources is possible.
In this specific example, setting a session parameter with the contents of requestUrl, while simultaneously removing requestUrl from the POST request would effectively remediate this issue.