Currently allow_authorize_operations defaults to TRUE. This allows users to download code into their site. This functionality should be specifically enabled so if a site is compromised the attacker can't install arbitrary modules.
This issue came out of a conversation on twitter - https://twitter.com/skwashd/status/362541343911854081
I have lost track of Drupal 8, so I'm filing this against D7 with a patch. I know it will need to be implemented in D8 first.
Patch coming right up.
Here's the documentation on the killswitch:
/**
* Authorized file system operations:
*
* The Update manager module included with Drupal provides a mechanism for
* site administrators to securely install missing updates for the site
* directly through the web user interface by providing either SSH or FTP
* credentials. This allows the site to update the new files as the user who
* owns all the Drupal files, instead of as the user the webserver is running
* as. However, some sites might wish to disable this functionality, and only
* update the code directly via SSH or FTP themselves. This setting completely
* disables all functionality related to these authorized file operations.
*
* Remove the leading hash signs to disable.
*/
# $conf['allow_authorize_operations'] = FALSE;