- 🇬🇧United Kingdom catch
autoupdates makes this a non-issue, we can deprecate update module support for installing extensions soon.
We originally added authorize.php and ftp/ssh support to avoid writing PHP files from the webserver.
Since then, we've added phpstorage that writes PHP files from the webserver, in a way that is 'secure enough'. While it's possible to opt-out of phpstorage, it's a lot harder to opt-out of it than to not use authorize.php (which I don't think I've ever actually used.
So the question then becomes - are there security implications of using phpstorage for update module which make it worse than using it for Twig or similar, that aren't also a problem for ftp/ssh/sftp?
The answer to this might be 'no', but whenever I read an issue about update module/authorize.php, this idea crosses my mind, so decided to at least open it even if it turns out to be terrible.
Use phpstorage in update module.
Deprecate the ssh/sftp/ftp options and hide them from the form.
Closed: outdated
11.0 🔥
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
autoupdates makes this a non-issue, we can deprecate update module support for installing extensions soon.