RUSTSEC-2020-0030: mozwire: Missing sanitazion in mozwire allows local file overwrite of files ending in .conf

Description

The client software downloaded a list of servers from mozilla’s servers and created local files named after the hostname field in the json document.

No verification of the content of the string was made, and it could therefore have included ‘../’ leading to path traversal.

This allows an attacker in controll of mozilla’s servers to overwrite/create local files named .conf.

The flaw was corrected by sanitizing the hostname field.

More Info

https://github.com/NilsIrl/MozWire/issues/14

Patched Versions