1. Login

FileZilla can be dangerous with Drag and Drop enabled

Drag and Drop in FileZilla can be super dangerous, and a simple accidental move can take down an entire website.

85 views
d

By. Jacob

Edited: 2024-06-09 06:27

Today I just experienced a recurring and very critical problem with the FileZilla FTP program – in fact, I think the problem is so critical that we should probably be banning the use of FileZilla for all intends and purposes, or alternatively at least make sure drag & drop is disabled in users configuration.

The problem:

In between the two clicks in a double click action, there is a risk of accidentally dragging a folder instead of entering it, which can have catastrophic and expensive consequences for some websites.

Now, if you stop using FileZilla, do not just go and use the next best thing – be warned that while SFTP/FTP are open protocols, the client programs used on them are sometimes still commercial software and cost money. I do not think that's fair. These protocols have been around for so long, and I think everyone should be able to freely use them. E.g. Such functionality is often baked into your operating system of choice. Linux has a very nice selection of File Managers that are free and open source, and many of them support SFTP as well. It is truly mind boggling why such capabilities are still handled by dedicated programs – if not to make the action of communicating with a server over the internet more intentional and concise – people do not care whether the protocol is called FTP or SFTP, most of us probably still just refer to it as "FTP".

I have been a user of FileZilla for many years, and doing this time I have mostly been using it for non-critical projects; when something like this happened in the past, I would not spend much time thinking about it – instead I would just correct my error and move on. But it has now happened to me numerous of times, and a few times with quite devastating results – it has ended up become a very irritating problem to me that has forced me to think about why Drag & Drop is even a thing inside FileZilla (to an extent at least). The most interesting thing is that I actually have no need for Drag & Drop on the server-side most the time. So, I was recently wondering, why not just disable it completely?

Whenever I want to either perform upload or download actions, I can just right-click on the item and choose the desired option from the context menu. It is a far more "intentional" act. Typically, I have no need for scoped D&D – whether it being on server->server or clien->client – I do not use FileZilla as a File Manager (there are other programs for that).

Doing my time as a FileZilla user, I have occasionally wondered about the super sensitive Drag & Drop functionality, which would often get triggered unintentionally while navigating around folders normally. I have practically never any problems using D&D in other apps, including native File Manager's in the operating systems I am using – but for some reason FileZilla's Drag and drop is like super sensitive, and I am far from the only one who thinks so! A frequently requested feature is to have the option to disable server-sided drag and drop completely in FileZilla – I agree with this, because it is rarely needed, and if really I want to move a folder, I will simply SSH into the server and get it done.

Mysteriously, it has been troubling users for 20 years if we are to believe FileZilla's tracking system. To be fair, a solution mentioned by some is to disable it in ~/.config/filezilla/FileZilla.xml (The location on Mac) by adding this option:

<Setting name="Drag and Drop disabled">1</Setting>

But it should not be hidden away in a file on your system! It should be toggle-able from within the settings GUI of FileZilla. I also think it should either be the default setting or there should at least be a confirmation dialog when moving files around.

Note. If this setting seem to have no effect or gets reverted on your Mac, be sure that the FileZilla.app file has been moved to your Applications folder before you attempt to change the .xml file.

Critically, users might not even realize that they have moved something. Even as someone who had this happen numerous of times while using FileZilla, I did still not immediately realize it when it happened this time. We got a phone call the server was down, and we were told the entire website root had been deleted, which made no sense to me because it requires a bit more "intent" to actually delete a folder. I knew I did not delete anything. In fact, I did not even realize anything had been moved, or indeed, where to!

The fact that I have unintentionally moved things in FileZilla so many times testifies of the severeness of the problem. I am from now on done using FileZilla, and will start warning people against using it. If you need to transfer files, I suggest that you instead use programs that does not suffer from this problem, and consider using the command line as a safer alternative.

How to use the command line instead

To upload a file to the server:

scp /some/local/file.txt [email protected]:/home/username/file.txt

And, to download from the server to your local computer:

scp /some/local/file.txt [email protected]:/home/username/file.txt

And, connect using a SSH key file:

scp -i ~/.ssh/mykeyfile.pem /some/local/file.txt [email protected]:/home/username/file.txt

As you can see, using the command line for such basic operations is actually not that difficult. Another option is to use rsync.

Links

  1. Disable Drag and Drop on the server - filezilla-project.org
  2. Feature request: Directory drag & drop option - filezilla-project.org
  3. The carnage a single drag and drop can cause - oscarg.ws

Share with your friends:

Tell us what you think: