Search
My Cart

ioweb-gr / polyshell-disable-file-upload

ioweb-gr/polyshell-disable-file-upload

Magento 2 module that disables file custom option uploads as a temporary PolyShell mitigation.

magento2-module Compatibility: 2.4.7-2.4.9 Code Quality: Fail Tests: N/A Security: Pass OSL-3.0, AFL-3.0

Ioweb_PolyshellDisableFileUpload

Temporary Magento 2 hardening module that mitigates PolyShell-style abuse until the store is upgraded and fully patched.

What it provides

The module includes three practical protections:

  • A hard block for file custom option uploads.
  • A narrower image-extension-only mitigation inspired by Mark Shust's workaround.
  • A CLI command to scan and optionally clear files from pub/media/custom_options.

Admin configuration

Configuration is available at:

Stores > Configuration > Security > PolyShell Protection

Disable PolyShell Uploads

When enabled, the module hard-blocks file custom option uploads:

  • REST and API-driven file custom option payloads are rejected.
  • Standard Magento file custom option validation is rejected too.

Use this if the store does not rely on file custom options at all.

Allow Only Image Extensions

When enabled, the module applies an image-only extension allowlist to the relevant Magento image upload path:

  • rejects non-image filename extensions during image content validation
  • restricts the uploader to jpg, jpeg, gif, and png

Use this if you want a narrower mitigation and still need image-only behavior.

Default configuration

For safety, both protections default to Yes.

CLI command

The module adds this command:

bin/magento ioweb:polyshell:custom-options:scan

Behavior:

  • Dry-run by default: lists files under pub/media/custom_options that would be removed.
  • Deletes only when --force is supplied.
  • Ignores .htaccess and .gitignore.

Example:

bin/magento ioweb:polyshell:custom-options:scan --force

Installation

Add the repository to your project and require the package:

composer config repositories.ioweb-polyshell-disable-file-upload vcs https://github.com/ioweb-gr/polyshell-disable-file-upload.git
composer require ioweb-gr/polyshell-disable-file-upload
bin/magento module:enable Ioweb_PolyshellDisableFileUpload
bin/magento setup:upgrade
bin/magento cache:flush

Notes

  • This module is a temporary mitigation, not a replacement for upgrading Magento.
  • Keep web server protections on /media/custom_options/ in place even with this module installed.
  • If your store genuinely uses file custom options, test carefully before enabling the hard block mode.

No changelog yet

The vendor hasn't published a changelog. Tagged releases appear in the Versions tab.

Versions
Version Stability QA Status Compatibility Released
1.0.5 stable Fail Magento 2.4.7-2.4.9 Details 2026-03-23 14:29:41
1.0.4 stable Not tested Not yet tested Details 2026-03-23 10:54:39

Requires 1

Package Constraint
php >=7.4

Compatibility

Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.

Compatibility matrix (Magento × PHP)
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 Pass Pass
2.4.8 Pass Pass
2.4.9 Pass Pass

Code Quality

Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge — a phpcs finding can't make a module incompatible.

Static analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

Static analysis results
Tool Status Findings Summary
PHPCS Warning 2 2 warnings (ruleset: Magento2) — 1 auto-fixable with phpcbf
PHPMD Warning 5 5 rule violations (UnusedFormalParameter:5)
Cpd Pass 0
Composer validate Info 1 valid; 1 advisory note (composer validate --strict)

PHPStan

Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases. Cell → details modal.

PHPStan results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 1 1
2.4.8 1 1
2.4.9 1 1

Tests

Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.

Unit tests

Unit tests results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 N/A N/A
2.4.8 N/A N/A
2.4.9 N/A N/A

Integration tests

Integration tests results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 N/A N/A
2.4.8 N/A N/A
2.4.9 N/A N/A

Security

Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.

Security results
Tool Status Findings Summary
Composer audit Pass 0
Malware scan Pass 0
License
OSL-3.0, AFL-3.0

More from ioweb-gr

View vendor
ioweb-gr/m2_mariadbhotfix Free
magento2-module
v1.0.9 3mo ago
1
ioweb-gr/m2-disable-customer-address-upload Free
magento2-module
v1.0.1 5mo ago
0
Make it pay

Turn an existing module into recurring revenue.

If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.

List your module