Chris Kelly Warns of Security Flaw in Proposed Drupal Project Browser Approach
Drupal contributor Chris Kelly raises a red flag over a proposed Project Browser change allowing web servers to write to code directories. He argues this reverses a core Drupal security principle—preventing executable files from being uploaded via the browser.
Kelly warns the feature, though likely to include setup warnings, risks adoption on public servers by non-technical users. He sees this as opening a serious attack vector, especially if exploited through flawed modules. The potential for mass site compromises, he suggests, outweighs any convenience gains.
His tone is sharply critical, emphasizing the risk to Drupal’s reputation and security model. While he notes potential cleanup business opportunities, his core message is clear: this approach is dangerous and the community should reject it outright. Read his critique published on LinkedIn Pulse from the Source Reference below.
ASK: Drupal Community Needs Your Support
View all →
Disclosure: This content is produced with the assistance of AI.
Disclaimer: The opinions expressed in this story do not necessarily represent that of TheDropTimes. We regularly share third-party blog posts that feature Drupal in good faith. TDT recommends Reader's discretion while consuming such content, as the veracity/authenticity of the story depends on the blogger and their motives.
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.
Related Drupal Initiatives
Related People
You may also like
