Created attachment 156978 [details]
As suggested by mat@, WWWDIR should not be owned/writable by www:
> Mmmm, ok, looking at upstream documentation, it says the only directory
> that should be writable by the web user is a data directory, which seems to
> be called MAHARADATADIR here. So, I feel the @owner/@group should be
> removed to close the gaping security hole, and @dir(www,www,) be restricted
> to MAHARADATADIR.
And probably MAHARADATADIR should not writable by anyone as well.
While here, add LICENSE_FILE.
Note that other www/ ports you maintain may have similar problem.
A commit references this bug:
Date: Thu May 21 07:48:58 UTC 2015
New revision: 386916
- Fix permissions 
- Add LICENSE file 
- Add missing PHP module
- Update pkg-message
PR: 200351 
Submitted by: amdmi3@
(In reply to Dmitry Marakasov from comment #0)
I committed this PR, and some other improvement.
As the other www/ ports may have similar problem, I shall check it one by one later. But in my memory, some does not work if we have the same permissions fix.