Bug 123014

Here are two nasty problems with the latest version of w3mir (www-client/w3mir), emerged from portage:

[~/test]
tie@localhost$w3mir -v
w3mir/1.0.10-2001-01-20
LWP version 5.803
Perl version: 5.008007 

[~/test]
tie@localhost$w3mir -r -c http://morp.org/images/
w3mir: http://morp.org/robots.txt, receiving header, processing
w3mir: /index.html, receiving header, document, processing, saving
w3mir: can't open /index.html for writing: Permission denied
w3mir: /twoOn.gif, receiving headerCould not open tmp file: /w3mir17497.tmp: Permission denied 

W3mir tries to:
1. Save the retrieved "index.htm" to the filesystem root directory (to " /index.html"). I would imagine that if the tool is excuted under the root account, against a site which has /etc/passwd in its directory structure, the consequences will be dire

2. Create a tmp file in the filesystem root directory ('/w3mir17497.tmp') 

As yo ucan see this behavior can cause serious troubles should one run unpatched w3mir under a root account.

I am no Perl developer so I only applied a quickfix for the first problem by changing line 584 in w3mir from:

my($lf_name) = (url "file:$lf_url")->unix_path;

to:

my($lf_name) = '.' . (url "file:$lf_url")->unix_path;

In this way files are saved in the local folder, as opposed to the filesystem root folder. 

I contacted w3mir developers and here is the answer I got:
"Yes, w3mir has not been maintained since 2001.  No, you should _not_ contact us, you should contact the gentoo packager.  Always contact your distribution providers if you use their packages.  You can tell him that FreeBSD has a good patch."

So IMHO you should either patch the package, or mask it/delete it from the portage. Leaving it the way it is is potentially dangerous.