Regarding Drupal FTP at http://drupal.org/project/drupal_ftp I just had a conversation with chx in irc about the status of Drupal FTP, and its possible uses (if completed) for malware, and possible security holes. Particularly in light of the SoC project Plugin Manager, and that I stopped work on the project a year ago, I'm happy to drop the module. However, the concept itself does have some merit, and there are many other uses I can think of other than what's planned for the Plugin Manager. Additionally, I've had a few queries over the months that indicate some developers are actually using the module, although I imagine they're in the minority. The project itself came partly out of the poor file handling that Drupal has had in the past (but will hopefully be fixed with http://drupal.org/node/142995 hint hint...) So my question is what is the best course of action at this point? Currently, the module works, although is incomplete from its original goals. It does currently store the u/p of its designated FTP server, which is a weakness, although it would have to be developed beyond how it is to exploit that weakness. I have no intention in the near term of continuing development of the project, don't plan to upgrade it to Drupal 6, and believe a better approach for remote file handling will emerge for Drupal 7. Should I entirely remove the project? Officially abandon it? Amend or replace the project page with a warning, in case people are actually using it? Ask for a security team audit if we decide to keep it? Thanks, Aaron Winborn
I did an implementation of FTP for media_mover to harvest files from a server. I didn't didn't even realize that there was an ftp module (damn my lazy search habits). I actually think it'd be nice to have a abstract ftp module that other modules could implement. Yes, it has huge potential security issues, which does require implementations to be responsible as well as alert admins that they are opening up possible exploits. On the other hand, it gives huge functionality benefits- in my case, being able to move 100mb files without having users needing to deal with uploading via http is a big deal. I guess I'd rather see one module which does the implementation that tries to deal with the security issues rather than a dozen (like myself) going it alone... I'd be willing to lend a hand in submitting patches and what not if you want to keep the module going. arthur On Jun 11, 2008, at 11:07 AM, Aaron Winborn wrote:
Regarding Drupal FTP at http://drupal.org/project/drupal_ftp
I just had a conversation with chx in irc about the status of Drupal FTP, and its possible uses (if completed) for malware, and possible security holes. Particularly in light of the SoC project Plugin Manager, and that I stopped work on the project a year ago, I'm happy to drop the module.
However, the concept itself does have some merit, and there are many other uses I can think of other than what's planned for the Plugin Manager. Additionally, I've had a few queries over the months that indicate some developers are actually using the module, although I imagine they're in the minority. The project itself came partly out of the poor file handling that Drupal has had in the past (but will hopefully be fixed with http://drupal.org/node/142995 hint hint...)
So my question is what is the best course of action at this point? Currently, the module works, although is incomplete from its original goals. It does currently store the u/p of its designated FTP server, which is a weakness, although it would have to be developed beyond how it is to exploit that weakness.
I have no intention in the near term of continuing development of the project, don't plan to upgrade it to Drupal 6, and believe a better approach for remote file handling will emerge for Drupal 7.
Should I entirely remove the project? Officially abandon it? Amend or replace the project page with a warning, in case people are actually using it? Ask for a security team audit if we decide to keep it?
Thanks, Aaron Winborn
--------------------------------------------------- arthur@civicactions.com
I happen to have an FTP client too. Maybe interesting as it's driven by an external state machine and can conduct batch operations with progress displays. It's not a module, though, but designed for PHP-GTK. But it might prove useful. ----- Original Message ----- From: "arthur" <arthur@civicactions.com> To: <development@drupal.org> Sent: Wednesday, June 11, 2008 6:10 PM Subject: Re: [development] What to do with Drupal FTP? I did an implementation of FTP for media_mover to harvest files from a server. I didn't didn't even realize that there was an ftp module (damn my lazy search habits). I actually think it'd be nice to have a abstract ftp module that other modules could implement. Yes, it has huge potential security issues, which does require implementations to be responsible as well as alert admins that they are opening up possible exploits. On the other hand, it gives huge functionality benefits- in my case, being able to move 100mb files without having users needing to deal with uploading via http is a big deal. I guess I'd rather see one module which does the implementation that tries to deal with the security issues rather than a dozen (like myself) going it alone... I'd be willing to lend a hand in submitting patches and what not if you want to keep the module going. arthur On Jun 11, 2008, at 11:07 AM, Aaron Winborn wrote:
Regarding Drupal FTP at http://drupal.org/project/drupal_ftp
I just had a conversation with chx in irc about the status of Drupal FTP, and its possible uses (if completed) for malware, and possible security holes. Particularly in light of the SoC project Plugin Manager, and that I stopped work on the project a year ago, I'm happy to drop the module.
However, the concept itself does have some merit, and there are many other uses I can think of other than what's planned for the Plugin Manager. Additionally, I've had a few queries over the months that indicate some developers are actually using the module, although I imagine they're in the minority. The project itself came partly out of the poor file handling that Drupal has had in the past (but will hopefully be fixed with http://drupal.org/node/142995 hint hint...)
So my question is what is the best course of action at this point? Currently, the module works, although is incomplete from its original goals. It does currently store the u/p of its designated FTP server, which is a weakness, although it would have to be developed beyond how it is to exploit that weakness.
I have no intention in the near term of continuing development of the project, don't plan to upgrade it to Drupal 6, and believe a better approach for remote file handling will emerge for Drupal 7.
Should I entirely remove the project? Officially abandon it? Amend or replace the project page with a warning, in case people are actually using it? Ask for a security team audit if we decide to keep it?
Thanks, Aaron Winborn
--------------------------------------------------- arthur@civicactions.com
I like the idea of an FTP API for similar modules to take advantage of. I'm not attached to it being Drupal FTP, although it does seem like a good enough namespace at this time. I just posted at http://groups.drupal.org/node/10893#comment-39618 as well, as I think the Plugin Manager soc project might also benefit from this. arthur wrote:
I did an implementation of FTP for media_mover to harvest files from a server. I didn't didn't even realize that there was an ftp module (damn my lazy search habits).
I actually think it'd be nice to have a abstract ftp module that other modules could implement. Yes, it has huge potential security issues, which does require implementations to be responsible as well as alert admins that they are opening up possible exploits. On the other hand, it gives huge functionality benefits- in my case, being able to move 100mb files without having users needing to deal with uploading via http is a big deal.
I guess I'd rather see one module which does the implementation that tries to deal with the security issues rather than a dozen (like myself) going it alone...
I'd be willing to lend a hand in submitting patches and what not if you want to keep the module going.
arthur
On Jun 11, 2008, at 11:07 AM, Aaron Winborn wrote:
Regarding Drupal FTP at http://drupal.org/project/drupal_ftp
I just had a conversation with chx in irc about the status of Drupal FTP, and its possible uses (if completed) for malware, and possible security holes. Particularly in light of the SoC project Plugin Manager, and that I stopped work on the project a year ago, I'm happy to drop the module.
However, the concept itself does have some merit, and there are many other uses I can think of other than what's planned for the Plugin Manager. Additionally, I've had a few queries over the months that indicate some developers are actually using the module, although I imagine they're in the minority. The project itself came partly out of the poor file handling that Drupal has had in the past (but will hopefully be fixed with http://drupal.org/node/142995 hint hint...)
So my question is what is the best course of action at this point? Currently, the module works, although is incomplete from its original goals. It does currently store the u/p of its designated FTP server, which is a weakness, although it would have to be developed beyond how it is to exploit that weakness.
I have no intention in the near term of continuing development of the project, don't plan to upgrade it to Drupal 6, and believe a better approach for remote file handling will emerge for Drupal 7.
Should I entirely remove the project? Officially abandon it? Amend or replace the project page with a warning, in case people are actually using it? Ask for a security team audit if we decide to keep it?
Thanks, Aaron Winborn
--------------------------------------------------- arthur@civicactions.com
Had a discussion with Thomas_Zahreddi1 in irc, and I suspect there may be more demand for the functionality than I'd suspected. But also got to thinking that Media Mover might be a better solution as well, in general, for most of what might be achieved with Drupal FTP. (I'd have to look at that module again; not sure how well it handles FTP already, assuming it does.) Aaron Winborn wrote:
Regarding Drupal FTP at http://drupal.org/project/drupal_ftp
I just had a conversation with chx in irc about the status of Drupal FTP, and its possible uses (if completed) for malware, and possible security holes. Particularly in light of the SoC project Plugin Manager, and that I stopped work on the project a year ago, I'm happy to drop the module.
However, the concept itself does have some merit, and there are many other uses I can think of other than what's planned for the Plugin Manager. Additionally, I've had a few queries over the months that indicate some developers are actually using the module, although I imagine they're in the minority. The project itself came partly out of the poor file handling that Drupal has had in the past (but will hopefully be fixed with http://drupal.org/node/142995 hint hint...)
So my question is what is the best course of action at this point? Currently, the module works, although is incomplete from its original goals. It does currently store the u/p of its designated FTP server, which is a weakness, although it would have to be developed beyond how it is to exploit that weakness.
I have no intention in the near term of continuing development of the project, don't plan to upgrade it to Drupal 6, and believe a better approach for remote file handling will emerge for Drupal 7.
Should I entirely remove the project? Officially abandon it? Amend or replace the project page with a warning, in case people are actually using it? Ask for a security team audit if we decide to keep it?
Thanks, Aaron Winborn
Are you taking into account, since this is still open for discussion, the Joomla "callback" method: sites FTP placed in database, called by central server...? Of course, that would require push from the Drupal side... or from somewhere... Victor Kane http://awebfactory.com.ar On Wed, Jun 11, 2008 at 1:12 PM, Aaron Winborn <winborn@advomatic.com> wrote:
Had a discussion with Thomas_Zahreddi1 in irc, and I suspect there may be more demand for the functionality than I'd suspected. But also got to thinking that Media Mover might be a better solution as well, in general, for most of what might be achieved with Drupal FTP. (I'd have to look at that module again; not sure how well it handles FTP already, assuming it does.)
Aaron Winborn wrote:
Regarding Drupal FTP at http://drupal.org/project/drupal_ftp
I just had a conversation with chx in irc about the status of Drupal FTP, and its possible uses (if completed) for malware, and possible security holes. Particularly in light of the SoC project Plugin Manager, and that I stopped work on the project a year ago, I'm happy to drop the module.
However, the concept itself does have some merit, and there are many other uses I can think of other than what's planned for the Plugin Manager. Additionally, I've had a few queries over the months that indicate some developers are actually using the module, although I imagine they're in the minority. The project itself came partly out of the poor file handling that Drupal has had in the past (but will hopefully be fixed with http://drupal.org/node/142995 hint hint...)
So my question is what is the best course of action at this point? Currently, the module works, although is incomplete from its original goals. It does currently store the u/p of its designated FTP server, which is a weakness, although it would have to be developed beyond how it is to exploit that weakness.
I have no intention in the near term of continuing development of the project, don't plan to upgrade it to Drupal 6, and believe a better approach for remote file handling will emerge for Drupal 7.
Should I entirely remove the project? Officially abandon it? Amend or replace the project page with a warning, in case people are actually using it? Ask for a security team audit if we decide to keep it?
Thanks, Aaron Winborn
On Wednesday 11 June 2008, Aaron Winborn wrote:
Regarding Drupal FTP at http://drupal.org/project/drupal_ftp
[snip]
... The project itself came partly out of the poor file handling that Drupal has had in the past (but will hopefully be fixed with http://drupal.org/node/142995 hint hint...)
[snip] I'm all in favor of improving Drupal's core file handling. But also when discussions like this come up, I mention http://drupal.org/project/upapi (Upload API contrib module). If I could rally the troops around this module it could become a great thing. One thing this module does is invoke hooks to let other modules know when new files have been uploaded and act on them. I can imagine an add-on that detects FTPed files, and inserts them into the upapi system (which currently only supports uploads via forms).
Should I entirely remove the project? Officially abandon it? Amend or replace the project page with a warning, in case people are actually using it? Ask for a security team audit if we decide to keep it?
I'd maintain it if you need it, hand it off if you don't. But don't remove it entirely. -Dave
On Wed, Jun 11, 2008 at 2:07 PM, Dave Cohen <drupal@dave-cohen.com> wrote:
I'm all in favor of improving Drupal's core file handling. But also when discussions like this come up, I mention http://drupal.org/project/upapi (Upload API contrib module). If I could rally the troops around this module it could become a great thing.
One thing this module does is invoke hooks to let other modules know when new files have been uploaded and act on them. I can imagine an add-on that detects FTPed files, and inserts them into the upapi system (which currently only supports uploads via forms)
Dave, why rally troops around a contrib module instead of a core patch? The UpAPI module is awesome work and implements some really cool stuff, but is irrelevant to the discussion of Drupal FTP and it's merit. I think having ftp client implementations aren't really the greatest thing, especially when PHP's native stream wrappers include FTP and SFTP/SSH. There is a patch floating around for stream wrapper support in core http://drupal.org/node/227232 which would deprecate most of these types of file clients. I think modules like drupal_ftp and media_mover are excellent use cases for stream wrapper support in core. If it were me I'd list it as officially abandoned if you don't need it and let people know it's looking for a maintainer if anyone requires it. .darrel.
participants (6)
-
Aaron Winborn -
arthur -
Darrel O'Pry -
Dave Cohen -
FGM -
Victor Kane