urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator

The urlparse module treats semicolon as a separator, whereas most proxies today only take ampersands as separators.

When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter - such as utm_* parameters, which are usually unkeyed.

The fix is to only use ampersands & as separators, and add a separator parameter to chose the separator characters.

  • Disclosure date: 2021-01-19 (Python issue bpo-42967 reported)
  • Reported at: 2020-10-19 (email sent to the PSRT list)
  • Reported by: Adam Goldschmidt (Snyk)

Fixed In

Python issue

[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - semicolon as a query args separator.

  • Python issue: bpo-42967
  • Creation date: 2021-01-19
  • Reporter: Adam Goldschmidt

CVE-2021-23336

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Timeline

Timeline using the disclosure date 2021-01-19 as reference: