[development] What to do with Drupal FTP?

arthur arthur at civicactions.com
Wed Jun 11 16:10:50 UTC 2008

I did an implementation of FTP for media_mover to harvest files from a  
server. I didn't didn't even realize that there was an ftp module  
(damn my lazy search habits).

I actually think it'd be nice to have a abstract ftp module that other  
modules could implement. Yes, it has huge potential security issues,  
which does require implementations to be responsible as well as alert  
admins that they are opening up possible exploits. On the other hand,  
it gives huge functionality benefits- in my case, being able to move  
100mb files without having users needing to deal with uploading via  
http is a big deal.

I guess I'd rather see one module which does the implementation that  
tries to deal with the security issues rather than a dozen (like  
myself) going it alone...

I'd be willing to lend a hand in submitting patches and what not if  
you want to keep the module going.


On Jun 11, 2008, at 11:07 AM, Aaron Winborn wrote:

> Regarding Drupal FTP at http://drupal.org/project/drupal_ftp
> I just had a conversation with chx in irc about the status of Drupal  
> FTP, and its possible uses (if completed) for malware, and possible  
> security holes. Particularly in light of the SoC project Plugin  
> Manager, and that I stopped work on the project a year ago, I'm  
> happy to drop the module.
> However, the concept itself does have some merit, and there are many  
> other uses I can think of other than what's planned for the Plugin  
> Manager. Additionally, I've had a few queries over the months that  
> indicate some developers are actually using the module, although I  
> imagine they're in the minority. The project itself came partly out  
> of the poor file handling that Drupal has had in the past (but will  
> hopefully be fixed with http://drupal.org/node/142995 hint hint...)
> So my question is what is the best course of action at this point?  
> Currently, the module works, although is incomplete from its  
> original goals. It does currently store the u/p of its designated  
> FTP server, which is a weakness, although it would have to be  
> developed beyond how it is to exploit that weakness.
> I have no intention in the near term of continuing development of  
> the project, don't plan to upgrade it to Drupal 6, and believe a  
> better approach for remote file handling will emerge for Drupal 7.
> Should I entirely remove the project? Officially abandon it? Amend  
> or replace the project page with a warning, in case people are  
> actually using it? Ask for a security team audit if we decide to  
> keep it?
> Thanks,
> Aaron Winborn

arthur at civicactions.com

More information about the development mailing list