Aviberry

I've only looked at a part of the code and haven't tried to run this, but I'm a bit worried about the xmlrpc callbacks.

It appears as if unauthenticated, unauthorized users can call the xmlrpc callback _aviberry_server_callback via the xmlrpc method aviberry.callback.

At least, there's no check I can see that verifies this request comes from the aviberry server and/or needs additional permissions and/or has not been tampered with.

The callback then proceeds to do a lot of work and gets to saving of the thumbnail if $conversion['status'] == 'finished':

 106     $thumbscheme = !empty($field['settings']['uri_scheme_thumbnails']) ? $field['settings']['uri_scheme_thumbnails'] : 'public';
 107     $thumburibase =  $thumbscheme . '://' . variable_get('video_thumbnail_path', 'videos/thumbnails') . '/' . $video->fid . '/';
 108     file_prepare_directory($thumburibase, FILE_CREATE_DIRECTORY);
 109     $thumbwrapper = file_stream_wrapper_get_instance_by_scheme($thumbscheme);
 110 
 111     $thumbnail['url'] = $conversion['result'][0][0][0]['preview_url']; // <- !!
 112 
 113     $existingthumbs = db_query('SELECT f.uri, f.fid FROM {file_managed} f INNER JOIN {video_thumbnails} t ON (f.fid = t.thumbnailfid) WHERE t.videofid = :fid', array(':fid' => $video->fid))->fetchAllKeyed();
 114 
 115     $urlpath = parse_url($thumbnail['url'], PHP_URL_PATH); // <- !!
 116     $ext = video_utility::getExtension($urlpath);                   // <- !!
 117     $thumb = new stdClass();
 118     $thumb->uid = $entity->uid;
 119     $thumb->status = FILE_STATUS_PERMANENT;
 120     $thumb->filename = 'thumbnail-' . $video->fid . '_' . sprintf('%04d', 0) . '.' . $ext; // <- !!
 121     $thumb->uri = $thumburibase . $thumb->filename;
 122     $thumb->filemime = $thumbwrapper->getMimeType($thumb->uri);
 123     $thumb->type = 'image'; // For the media module
 124     if (isset($existingthumbs[$thumb->uri])) {
 125       $thumb->fid = intval($existingthumbs[$thumb->uri]);
 126     }
 127 
 128     if (!copy($thumbnail['url'], $thumb->uri)) {  // <- !!
 129       watchdog('transcoder', 'Could not copy @thumbsrc to @thumbdest.', array('@thumbsrc' => $thumbnail['url'], '@thumbdest' => $thumb->uri), WATCHDOG_ERROR);
 130       return false;
 131     }
 132 
 133     file_save($thumb);

The extension of the thumbnail is derived from conversion data, which is in effect user-supplied data. This allows an attacker to copy executable (eg php) files onto the system.

Mitigation: In many cases, the .htaccess in the files directory protects against PHP execution. An exploit might need a video in the queue.

Please see the automated review report here.
Manual Review:

1. .info file - Remove version = 7.x-1.0 as added by drupal.org when a release is created refer http://drupal.org/node/231036.
2. Suggestion:Form element name and function name should start with module name as _loadVideoQueue(); to _aviberry_loadVideoQueue();

others to be modified:$form['settings']['video']['video_aviberry_preset']
_check_callback_param();

I'm sorry for the delay!
There are about 100 other applications waiting for review and only a hand full of active reviewers.
We do really need more hands in the application queue and highly recommend to get a review bonus so we can come back to your application sooner.

manual review:

1. Remove the licensing header from all PHP files, you can give credit in README.txt and a license file is added automatically for downloadable releases.
2. aviberry_uninstall(): remove that function, Drupal 7 will remove the tables automatically for you.
3. "variable_get('video_aviberry_ftp_connect_string', NULL)": does the video module remove those variables upon uninstallation for you? If not, you should do that in hook_uninstall().
4. Project page is too short, see http://drupal.org/node/997024

Although you should definitively fix those issues they are not hard blockers. Otherwise RTBC to me.

Please make sure to fix the issues pointed out by klausi,
however there were no further issues I could find.

Thanks for your contribution!

I updated your account to let you promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and get involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.