# ioweb-gr/polyshell-disable-file-upload > Magento 2 module that disables file custom option uploads as a temporary PolyShell mitigation. `composer require ioweb-gr/polyshell-disable-file-upload` Canonical URL: https://packagento.com/ioweb-gr/polyshell-disable-file-upload ## At a glance - **Vendor**: ioweb-gr (https://packagento.com/ioweb-gr.md) - **Latest version**: 1.0.5 — released 2026-03-23 - **Pricing**: Free - **Package type**: Magento 2 module - **Status**: active, accepting new buyers ## Installation Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them. 1. **Sign in or create an account** at https://packagento.com/customer/account/. 2. **Add the package to your account.** Open https://packagento.com/ioweb-gr/polyshell-disable-file-upload and complete the free checkout. A licence is minted automatically. 3. **Create or pick a project, then activate the licence on it.** - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/. - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project. 4. **Add the project credentials to your Magento codebase.** Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`: ```json { "http-basic": { "packagento.com": { "username": "ppk_live_...", "password": "psk_live_..." } } } ``` Add the Packagento Composer repository to `composer.json`: ```json { "repositories": [ { "type": "composer", "url": "https://packagento.com" } ] } ``` 5. **Install and apply.** ```bash composer require ioweb-gr/polyshell-disable-file-upload:* bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush ``` ## What it does Magento 2 module that disables file custom option uploads as a temporary PolyShell mitigation. ## README Temporary Magento 2 hardening module that mitigates PolyShell-style abuse until the store is upgraded and fully patched. ### What it provides The module includes three practical protections: - A hard block for file custom option uploads. - A narrower image-extension-only mitigation inspired by [Mark Shust's workaround](https://github.com/markshust/magento-polyshell-patch). - A CLI command to scan and optionally clear files from `pub/media/custom_options`. ### Admin configuration Configuration is available at: `Stores > Configuration > Security > PolyShell Protection` #### Disable PolyShell Uploads When enabled, the module hard-blocks file custom option uploads: - REST and API-driven file custom option payloads are rejected. - Standard Magento file custom option validation is rejected too. Use this if the store does not rely on file custom options at all. #### Allow Only Image Extensions When enabled, the module applies an image-only extension allowlist to the relevant Magento image upload path: - rejects non-image filename extensions during image content validation - restricts the uploader to `jpg`, `jpeg`, `gif`, and `png` Use this if you want a narrower mitigation and still need image-only behavior. ### Default configuration For safety, both protections default to `Yes`. ### CLI command The module adds this command: ```bash bin/magento ioweb:polyshell:custom-options:scan ``` Behavior: - Dry-run by default: lists files under `pub/media/custom_options` that would be removed. - Deletes only when `--force` is supplied. - Ignores `.htaccess` and `.gitignore`. Example: ```bash bin/magento ioweb:polyshell:custom-options:scan --force ``` ### Installation Add the repository to your project and require the package: ```bash composer config repositories.ioweb-polyshell-disable-file-upload vcs https://github.com/ioweb-gr/polyshell-disable-file-upload.git composer require ioweb-gr/polyshell-disable-file-upload bin/magento module:enable Ioweb_PolyshellDisableFileUpload bin/magento setup:upgrade bin/magento cache:flush ``` ### Notes - This module is a temporary mitigation, not a replacement for upgrading Magento. - Keep web server protections on `/media/custom_options/` in place even with this module installed. - If your store genuinely uses file custom options, test carefully before enabling the hard block mode. ## Recent Versions | Version | Released | |---|---| | 1.0.5 | 2026-03-23 | | 1.0.4 | 2026-03-23 | ## Dependencies ### Require | Package | Constraint | |---|---| | php | >=7.4 | ## Quality Latest release (1.0.5) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers. ### Compatibility Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | Pass | Pass | – | – | | 2.4.8 | – | Pass | Pass | – | | 2.4.9 | – | – | Pass | Pass | ### Code Quality Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible. #### Static Analysis Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module. | Tool | Status | Findings | Summary | |---|---|---|---| | PHPCS | Warning | 2 | 2 warnings (ruleset: Magento2) — 1 auto-fixable with phpcbf | | PHPMD | Warning | 5 | 5 rule violations (UnusedFormalParameter:5) | | Cpd | Pass | 0 | | | Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) | #### PHPStan Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | 1 | 1 | – | – | | 2.4.8 | – | 1 | 1 | – | | 2.4.9 | – | – | 1 | 1 | ### Tests Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately. #### Unit Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | #### Integration Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | ### Security Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright. | Tool | Status | Findings | Summary | |---|---|---|---| | Composer audit | Pass | 0 | | | Malware scan | Pass | 0 | | ## Licence and pricing Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step. Refundable within 14 days of first purchase via https://packagento.com/account/refunds/. ## Install via Claude Code or any MCP client The Packagento MCP server can run the licence + project + Composer steps above in one tool call: ``` purchase_and_install_packages( composer_names=["ioweb-gr/polyshell-disable-file-upload"], project_id="proj_xxx" ) ``` This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup. ## Vendor ioweb-gr is a Magento 2 vendor on Packagento. See https://packagento.com/ioweb-gr.md for their full catalogue.