Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
We should not check for updates without SSL.
const UPDATE_DEFAULT_URL = 'http://updates.drupal.org/release-history';
We should also not download any update without SSL. Otherwise man in the middle attacks are possible and an attacker may disrupt/redirect the download to an install package with a backdoor.
Comments
Comment #1
hass CreditAttribution: hass commented