=== modified file 'includes/filetransfer/filetransfer.inc'
--- includes/filetransfer/filetransfer.inc	2009-06-23 12:11:19 +0000
+++ includes/filetransfer/filetransfer.inc	2009-06-25 14:40:30 +0000
@@ -2,26 +2,51 @@
 // $Id: filetransfer.inc,v 1.1 2009/06/23 12:11:19 dries Exp $
 
 /*
- * Connection class.
+ * Base FileTransfer class.
  *
- * This class does file operations on directories not writeable by the
- * webserver. It connects back to the server using some backend (for example
- * FTP or SSH). To keep security the password should always be asked from the
- * user and never stored.
+ * Classes extending this class perform file operations on directories not
+ * writeable by the webserver. To achieve this, the class should connect back
+ * to the server using some backend (for example FTP or SSH). To keep security,
+ * the password should always be asked from the user and never stored. For
+ * safety, all methods operate only inside a "jail", by default the Drupal root.
  */
 abstract class FileTransfer {
+  protected $jail = DRUPAL_ROOT;
+
+  protected $username;
+  
+  protected $password;
+  
+  protected $hostname = 'localhost';
+  
+  protected $port;
+
+  /**
+   * Get a FileTransfer object.
+   */
+  function get() {
+    $class = variable_get('filetransfer_class', NULL);
+    echo "$class ";
+    return new $class(array());
+  }
+  
 
   /**
    * The constructer for the UpdateConnection class. This method is also called
    * from the classes that extend this class and override this method.
    */
-  function __construct($settings) {
+  function __construct($settings, $jail = NULL) {
     $this->username = $settings['username'];
     $this->password = $settings['password'];
-    $this->hostname = isset($settings['hostname']) ? $settings['hostname'] : 'localhost';
+    if (isset($settings['hostname'])) {
+      $this->hostname = $settings['hostname'];
+    }
     if (isset($settings['port'])) {
       $this->port = $settings['port'];
     }
+    if (isset($jail)) {
+      $this->jail = $jail;
+    }
   }
 
   /**
@@ -31,30 +56,107 @@ abstract class FileTransfer {
    * this method.
    */
   function __get($name) {
-    static $connection;
     if ($name == 'connection') {
       $this->connection = $this->connect();
       return $this->connection;
     }
   }
+  
+  /**
+   * Connect to the server.
+   */
+  abstract protected function connect();
+
+  /**
+   * Copies a directory.
+   *
+   * @param $source
+   *   The source path.
+   * @param $destination
+   *   The destination path.
+   */
+  public final function copyDirectory($source, $destination) {
+    $this->checkPath($destination);
+    $this->copyDirectoryJailed($source, $destination);
+  }
+
+  /**
+   * Creates a directory.
+   *
+   * @param $directory
+   *   The directory to be created.
+   */
+  public final function createDirectory($directory) {
+    $this->checkPath($directory);
+    $this->createDirectoryJailed($directory);
+  }
+  
+  /**
+   * Removes a directory.
+   *
+   * @param $directory
+   *   The directory to be removed.
+   */
+  public final function removeDirectory($directory) {
+    $this->checkPath($directory);
+    $this->removeDirectoryJailed($directory);
+  }
+
+  /**
+   * Copies a file.
+   *
+   * @param $source
+   *   The source file.
+   * @param $destination
+   *   The destination file.
+   */
+  public final function copyFile($source, $destination) {
+    $this->checkPath($destination);
+    $this->copyFileJailed($source, $destination);
+  }
 
   /**
+   * Removes a file.
+   *
+   * @param $destination
+   *   The destination file to be removed.
+   */
+  public final function removeFile($destination) {
+    $this->checkPath($destination);
+    $this->removeFileJailed($destination);
+  }
+  
+  /**
+   * Checks that the path is inside the jail and throws an exception if not.
+   *
+   * @param $path
+   *   A path to check against the jail.
+   */
+  protected final function checkPath($path) {
+    if (realpath(substr($path, 0, strlen($this->jail))) !== $this->jail) {
+      throw new FileTransferException('@directory is outside of the @jail', NULL, array('@directory' => $path, '@jail' => $this->jail));
+    }
+  }
+  
+  /**
    * Copies a directory.
    *
+   * We need a separate method to make the $destination is in the jail.
+   *
    * @param $source
    *   The source path.
    * @param $destination
    *   The destination path.
    */
-  protected function copyDirectory($source, $destination) {
+  protected function copyDirectoryJailed($source, $destination) {
     $this->createDirectory($destination . basename($source));
     foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($source), RecursiveIteratorIterator::SELF_FIRST) as $filename => $file) {
       $relative_path = basename($source) . substr($filename, strlen($source));
       if ($file->isDir()) {
-        $this->createDirectory($destination . $relative_path);
+        $this->createDirectory($destination . '/' .$relative_path);
       }
       else {
-        $this->copyFile($file->getPathName(), $destination . $relative_path);
+        $this->copyFile($file->getPathName(), $destination . '/' .$relative_path);
       }
     }
   }
@@ -65,7 +167,7 @@ abstract class FileTransfer {
    * @param $directory
    *   The directory to be created.
    */
-  abstract function createDirectory($directory);
+  abstract protected function createDirectoryJailed($directory);
 
   /**
    * Removes a directory.
@@ -73,7 +175,7 @@ abstract class FileTransfer {
    * @param $directory
    *   The directory to be removed.
    */
-  abstract function removeDirectory($directory);
+  abstract protected function removeDirectoryJailed($directory);
 
   /**
    * Copies a file.
@@ -83,8 +185,7 @@ abstract class FileTransfer {
    * @param $destination
    *   The destination file.
    */
-  abstract function copyFile($source, $destination);
-
+  abstract protected function copyFileJailed($source, $destination);
 
   /**
    * Removes a file.
@@ -92,11 +193,15 @@ abstract class FileTransfer {
    * @param $destination
    *   The destination file to be removed.
    */
-  abstract function removeFile($destination);
+  abstract protected function removeFileJailed($destination);
 }
 
 /**
  * FileTransferException class.
  */
 class FileTransferException extends Exception {
+  function __construct($message, $code, $arguments) {
+    // @TODO: make this actually work. Add watchdog right here?
+    parent::__construct($message, $code);
+  }
 }

=== modified file 'includes/filetransfer/ftp.inc'
--- includes/filetransfer/ftp.inc	2009-06-24 01:45:09 +0000
+++ includes/filetransfer/ftp.inc	2009-06-25 14:38:14 +0000
@@ -5,32 +5,33 @@
  * Common code for the FTP connections.
  */
 abstract class FileTransferFTP extends FileTransfer {
-  function __construct($settings) {
+  function __construct($settings, $jail = NULL) {
     // This is the default, if $settings contains a port, this will be overridden.
     $this->port = 21;
-    parent::__construct($settings);
+    parent::__construct($settings, $jail);
   }
 }
 
 /**
- * Connection class using the FTP URL wrapper.
+ * File transfer class using the FTP URL wrapper.
  */
-class FileTransferFTPWrapper extends FileTransfer {
+class FileTransferFTPWrapper extends FileTransferFTP {
   function connect() {
-    $this->connection = 'ftp://' . urlencode($this->username) . ':' . urlencode($this->password) . '@' . $this->hostname . ':' . $this->port . '/';
-    if (!is_dir($this->connection)) {
+    $connection = 'ftp://' . urlencode($this->username) . ':' . urlencode($this->password) . '@' . $this->hostname . ':' . $this->port . '/';
+    if (!is_dir($connection)) {
       throw new FileTransferException('FTP Connection failed.');
     }
+    return $connection;
   }
 
-  function createDirectory($directory) {
+  function createDirectoryJailed($directory) {
     if (!@createDirectory($directory)) {
       $exception = new FileTransferException('Cannot create directory @directory.', NULL, array('@directory' => $directory));
       throw $exception;
     }
   }
 
-  function removeDirectory($directory) {
+  function removeDirectoryJailed($directory) {
     if (realpath(substr($directory, 0, strlen(DRUPAL_ROOT))) !== DRUPAL_ROOT) {
       throw new FileTransferException('@directory is outside of the Drupal root.', NULL, array('@directory' => $directory));
     }
@@ -56,44 +57,48 @@ class FileTransferFTPWrapper extends Fil
     }
   }
 
-  function copyFile($source, $destination) {
+  function copyFileJailed($source, $destination) {
     if (!@copy($this->connection . '/' . $source, $this->connection . '/' . $destination)) {
       throw new FileTransferException('Cannot copy @source_file to @destination_file.', NULL, array('@source' => $source, '@destination' => $destination));
     }
   }
 
-  function removeFile($destination) {
+  function removeFileJailed($destination) {
     if (!@unlink($destination)) {
       throw new FileTransferException('Cannot remove @destination', NULL, array('@destination' => $destination));
     }
   }
 }
 
-class FileTransferFTPExtension extends FileTransfer {
-  function connect() {
-    $this->connection = ftp_connect($this->hostname, $this->port);
+/**
+ * File transfer class using the FTP extension.
+ */
+class FileTransferFTPExtension extends FileTransferFTP {
+  protected function connect() {
+    $connection = ftp_connect($this->hostname, $this->port);
 
-    if (!$this->connection) {
+    if (!$connection) {
       throw new FileTransferException("Cannot connect to FTP Server, please check settings");
     }
-    if (!ftp_login($this->connection, $this->username, $this->password)) {
+    if (!ftp_login($connection, $this->username, $this->password)) {
       throw new FileTransferException("Cannot login to FTP server, please check username and password");
     }
+    return $connection;
   }
 
-  function copyFile($source, $destination) {
+  protected function copyFileJailed($source, $destination) {
     if (!@ftp_put($this->connection,  $destination, $source, FTP_BINARY)) {
       throw new FileTransferException("Cannot move @source to @destination", NULL, array("@source" => $source, "@destination" => $destination));
     }
   }
 
-  function createDirectory($directory) {
+  protected function createDirectoryJailed($directory) {
     if (!@ftp_createDirectory($this->connection, $directory)) {
       throw new FileTransferException("Cannot create directory @directory", NULL, array("@directory" => $directory));
     }
   }
 
-  function removeDirectory($directory) {
+  protected function removeDirectoryJailed($directory) {
     if (realpath(substr($directory, 0, strlen(DRUPAL_ROOT))) !== DRUPAL_ROOT) {
       throw new FileTransferException('@directory is outside of the Drupal root.', NULL, array('@directory' => $directory));
     }
@@ -120,7 +125,7 @@ class FileTransferFTPExtension extends F
     }
   }
 
-  function removeFile($destination) {
+  protected function removeFileJailed($destination) {
     if (!ftp_delete($this->connection, $item)) {
       throw new FileTransferException("Unable to remove to file @file", NULL, array('@file' => $item));
     }

=== modified file 'includes/filetransfer/ssh.inc'
--- includes/filetransfer/ssh.inc	2009-06-23 12:11:19 +0000
+++ includes/filetransfer/ssh.inc	2009-06-25 14:37:37 +0000
@@ -2,54 +2,52 @@
 // $Id: ssh.inc,v 1.1 2009/06/23 12:11:19 dries Exp $
 
 /**
- * The SSH connection class for the update module.
+ * Filetransfer class using the ssh2 extension.
  */
 class FileTransferSSH extends FileTransfer {
 
-  function __construct($settings) {
+  function __construct($settings, $jail = NULL) {
     // This is the default, if $settings contains a port, this will be overridden.
     $this->port = 22;
-    parent::__construct($settings);
+    parent::__construct($settings, $jail);
   }
 
   function connect() {
-    $this->connection = @ssh2_connect($setings['hostname'], $this->port);
-    if (!$this->connection) {
+    $connection = @ssh2_connect($setings['hostname'], $this->port);
+    if (!$connection) {
       throw new FileTransferException('SSH Connection failed.');
     }
-    if (!@ssh2_auth_password($this->connection, $this->username, $this->password)) {
+    if (!@ssh2_auth_password($connection, $this->username, $this->password)) {
       throw new FileTransferException('The supplied username/password combination was not accepted.');
     }
+    return $connection;
   }
 
-  function copyFile($source, $destination) {
+  protected function copyFileJailed($source, $destination) {
     if (!@ssh2_scp_send($this->connection, $source, $destination)) {
       throw new FileTransferException('Cannot copy @source_file to @destination_file.', NULL, array('@source' => $source, '@destination' => $destination));
     }
   }
 
-  function copyDirectory($source, $destination) {
+  protected function copyDirectoryJailed($source, $destination) {
     if (!@ssh2_exec($this->connection, 'cp -Rp ' . escapeshellarg($source) . ' ' . escapeshellarg($destination))) {
       throw new FileTransferException('Cannot copy directory @directory.', NULL, array('@directory' => $source));
     }
   }
 
-  function createDirectory($directory) {
+  protected function createDirectoryJailed($directory) {
     if (!@ssh2_exec($this->connection, 'mkdir ' . escapeshellarg($directory))) {
       throw new FileTransferException('Cannot create directory @directory.', NULL, array('@directory' => $directory));
     }
   }
 
-  function removeDirectory($directory) {
-    if (realpath(substr($directory, 0, strlen(DRUPAL_ROOT))) !== DRUPAL_ROOT) {
-      throw new FileTransferException('@directory is outside of the Drupal root.', NULL, array('@directory' => $directory));
-    }
+  protected function removeDirectoryJailed($directory) {
     if (!@ssh2_exec($this->connection, 'rm -Rf ' . escapeshellarg($directory))) {
       throw new FileTransferException('Cannot remove @directory.', NULL, array('@directory' => $directory));
     }
   }
   
-  function removeFile($destination) {
+  protected function removeFileJailed($destination) {
     if (!@ssh2_exec($this->connection, 'rm ' . escapeshellarg($destination))) {
       throw new FileTransferException('Cannot remove @directory.', NULL, array('@directory' => $destination));
     }

=== modified file 'modules/system/system.module'
--- modules/system/system.module	2009-06-23 12:11:19 +0000
+++ modules/system/system.module	2009-06-25 14:25:48 +0000
@@ -828,7 +828,7 @@ function system_admin_menu_block_access(
 }
 
 /**
- * Implementation of hook_filetransfer_backends().
+ * Implement hook_filetransfer_backends().
  */
 function system_filetransfer_backends() {
   $backends = array();
@@ -847,7 +847,6 @@ function system_filetransfer_backends() 
       'class' => 'FileTransferFTPExtension',
     );
   }
-
   if (ini_get('allow_url_fopen')) {
     $backends['ftp_wrapper'] = array(
       'title' => t('FTP Wrapper'),
@@ -857,6 +856,44 @@ function system_filetransfer_backends() 
   return $backends;
 }
 
+function system_filetransfer_backend_form($type, $show_non_stored_fields = FALSE) {
+  $form = array();
+  
+  $form['hostname'] = array (
+    '#type' => 'textfield',
+    '#title' => t('Host'),
+    '#default_value' => 'localhost',
+  );
+  
+  $form['port'] = array (
+    '#type' => 'textfield',
+    '#title' => t('Port'),
+    '#default_value' => NULL,
+  );
+  
+  $form['username'] = array (
+    '#type' => 'textfield',
+    '#title' => t('Username'),
+  );
+  
+  $form['password'] = array (
+    '#type' => 'password',
+    '#title' => t('Password'),
+    '#description' => t('This is not saved in the database and is only used to test the connection'),
+  );
+  
+  switch ($type) {
+    case 'ssh':
+      $form['port']['#default_value'] = 22;
+      break;
+    case 'ftp_wrapper':
+    case 'ftp_extension':
+      $form['port']['#default_value'] = 21;
+      break;
+  }
+  return $form;
+}
+
 /**
  * Implement hook_init().
  */
@@ -2543,29 +2580,37 @@ function system_image_toolkits() {
 /**
  * Attempts to get a file using drupal_http_request and to store it locally.
  *
- * @param $path
+ * @param $url
  *   The URL of the file to grab.
+ *
+ * @param $destination
+ *   Where the file should be saved, if a directory is provided, file is saved
+ *   in that directory with its original name.  If a filename is provided,
+ *   remote fileis stored to that location.  NOTE: Relative to drupal "files" directory"
+ *
+ * @param $overwrite boolean
+ *   Defaults to TRUE, will overwrite existing files of the same name.
+ *  
  * @return
  *   On success the address the files was saved to, FALSE on failure.
  */
-function system_retrieve_file($path) {
-  // Get each of the specified files.
-  $parsed_url = parse_url($path);
-  $local = file_directory_temp() . '/update-cache/' . basename($parsed_url['path']);
-  if (!file_exists(file_directory_temp() . '/update-cache/')) {
-    mkdir(file_directory_temp() . '/update-cache/');
-  }
-
-  // Check the cache and download the file if needed.
-  if (!file_exists($local)) {
-    // $result->data is the actual contents of the downloaded file. This saves
-    // it into a local file, whose path is stored in $local. $local is stored
-    // relative to the Drupal installation.
-    $result = drupal_http_request($path);
-    if ($result->code != 200 || !file_save_data($result->data, $local)) {
-      drupal_set_message(t('@remote could not be saved.', array('@remote' => $path)), 'error');
-      return FALSE;
-    }
+function system_retrieve_file($url, $destination = NULL, $overwrite = TRUE) {
+  if (!$destination) {
+    $destination = file_directory_temp();
+  }
+  $parsed_url = parse_url($url);
+  $local = is_dir(file_directory_path() . '/' . $destination) ? $destination . '/' . basename($parsed_url['path']) : $destination;
+  
+  if (!$overwrite && file_exists($local)) {
+    drupal_set_message(t('@remote could not be saved. @local already exists', array('@remote' => $url, '@local' => $local)), 'error');
+    return FALSE;
+  }
+  
+  $result = drupal_http_request($url);
+  if ($result->code != 200 || !file_save_data($result->data, $local)) {
+    drupal_set_message(t('@remote could not be saved.', array('@remote' => $url)), 'error');
+    return FALSE;
   }
+  
   return $local;
 }