From ba84c3b5f698a8326ab7fec2fe0d0be6aa25f259 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20Kj=C3=A4ll?= <alexander.kjaell@schibsted.com>
Date: Wed, 19 Aug 2020 13:19:03 +0200
Subject: [PATCH] Missing sanitazion in mozwire allows local file overwrite of
 files ending in .conf

---
 crates/mozwire/RUSTSEC-0000-0000.toml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 crates/mozwire/RUSTSEC-0000-0000.toml

diff --git a/crates/mozwire/RUSTSEC-0000-0000.toml b/crates/mozwire/RUSTSEC-0000-0000.toml
new file mode 100644
index 0000000..80bad97
--- /dev/null
+++ b/crates/mozwire/RUSTSEC-0000-0000.toml
@@ -0,0 +1,20 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "mozwire"
+date = "2020-08-18"
+title = "Missing sanitazion in mozwire allows local file overwrite of files ending in .conf"
+url = "https://github.com/NilsIrl/MozWire/issues/14"
+categories = []
+keywords = ["file-overwrite"]
+description = """
+The client software downloaded a list of servers from mozilla's servers and created local files named
+after the hostname field in the json document.
+
+No verification of the content of the string was made, and it could therefore have included '../' leading to path traversal.
+
+This allows an attacker in controll of mozilla's servers to overwrite/create local files named .conf.
+
+The flaw was corrected by sanitizing the hostname field.
+"""
+[versions]
+patched = ["> 0.4.1"]