Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 123014

Summary: www-client/w3mir tries to write files to the filesystem root directory
Product: Gentoo Linux Reporter: Emil Filipov <tie>
Component: New packagesAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: High    
Version: 2005.1   
Hardware: All   
OS: Other   
Whiteboard:
Package list:
Runtime testing required: ---

Description Emil Filipov 2006-02-16 03:28:37 UTC
Here are two nasty problems with the latest version of w3mir (www-client/w3mir), emerged from portage:

[~/test]
tie@localhost$w3mir -v
w3mir/1.0.10-2001-01-20
LWP version 5.803
Perl version: 5.008007 

[~/test]
tie@localhost$w3mir -r -c http://morp.org/images/
w3mir: http://morp.org/robots.txt, receiving header, processing
w3mir: /index.html, receiving header, document, processing, saving
w3mir: can't open /index.html for writing: Permission denied
w3mir: /twoOn.gif, receiving headerCould not open tmp file: /w3mir17497.tmp: Permission denied 

W3mir tries to:
1. Save the retrieved "index.htm" to the filesystem root directory (to " /index.html"). I would imagine that if the tool is excuted under the root account, against a site which has /etc/passwd in its directory structure, the consequences will be dire

2. Create a tmp file in the filesystem root directory ('/w3mir17497.tmp') 

As yo ucan see this behavior can cause serious troubles should one run unpatched w3mir under a root account.

I am no Perl developer so I only applied a quickfix for the first problem by changing line 584 in w3mir from:

my($lf_name) = (url "file:$lf_url")->unix_path;

to:

my($lf_name) = '.' . (url "file:$lf_url")->unix_path;

In this way files are saved in the local folder, as opposed to the filesystem root folder. 

I contacted w3mir developers and here is the answer I got:
"Yes, w3mir has not been maintained since 2001.  No, you should _not_ contact us, you should contact the gentoo packager.  Always contact your distribution providers if you use their packages.  You can tell him that FreeBSD has a good patch."

So IMHO you should either patch the package, or mask it/delete it from the portage. Leaving it the way it is is potentially dangerous.
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-02-16 03:41:09 UTC

*** This bug has been marked as a duplicate of 115183 ***