Search
My Cart

ioweb-gr / polyshell-disable-file-upload

ioweb-gr/polyshell-disable-file-upload

Magento 2 module that disables file custom option uploads as a temporary PolyShell mitigation.

magento2-module Compatibility: Not yet tested Code Quality: Pending Tests: N/A Security: Pending OSL-3.0, AFL-3.0
Viewing version 1.0.4. Latest version is 1.0.5. Switch to latest

Ioweb_PolyshellDisableFileUpload

Temporary Magento 2 hardening module that mitigates PolyShell-style abuse until the store is upgraded and fully patched.

What it provides

The module includes three practical protections:

  • A hard block for file custom option uploads.
  • A narrower image-extension-only mitigation inspired by Mark Shust's workaround.
  • A CLI command to scan and optionally clear files from pub/media/custom_options.

Admin configuration

Configuration is available at:

Stores > Configuration > Security > PolyShell Protection

Disable PolyShell Uploads

When enabled, the module hard-blocks file custom option uploads:

  • REST and API-driven file custom option payloads are rejected.
  • Standard Magento file custom option validation is rejected too.

Use this if the store does not rely on file custom options at all.

Allow Only Image Extensions

When enabled, the module applies an image-only extension allowlist to the relevant Magento image upload path:

  • rejects non-image filename extensions during image content validation
  • restricts the uploader to jpg, jpeg, gif, and png

Use this if you want a narrower mitigation and still need image-only behavior.

Default configuration

For safety, both protections default to Yes.

CLI command

The module adds this command:

bin/magento ioweb:polyshell:custom-options:scan

Behavior:

  • Dry-run by default: lists files under pub/media/custom_options that would be removed.
  • Deletes only when --force is supplied.
  • Ignores .htaccess and .gitignore.

Example:

bin/magento ioweb:polyshell:custom-options:scan --force

Installation

Add the repository to your project and require the package:

composer config repositories.ioweb-polyshell-disable-file-upload vcs https://github.com/ioweb-gr/polyshell-disable-file-upload.git
composer require ioweb-gr/polyshell-disable-file-upload
bin/magento module:enable Ioweb_PolyshellDisableFileUpload
bin/magento setup:upgrade
bin/magento cache:flush

Notes

  • This module is a temporary mitigation, not a replacement for upgrading Magento.
  • Keep web server protections on /media/custom_options/ in place even with this module installed.
  • If your store genuinely uses file custom options, test carefully before enabling the hard block mode.

No changelog yet

The vendor hasn't published a changelog. Tagged releases appear in the Versions tab.

Versions
Version Stability QA Status Compatibility Released
1.0.5 stable Fail Magento 2.4.7-2.4.9 Details 2026-03-23 14:29:41
1.0.4 stable Not tested Not yet tested Details 2026-03-23 10:54:39

Requires 1

Package Constraint
php >=7.4

No QA results yet

QA pipelines haven't run for this version. Compatibility and quality results appear here once the vendor publishes a tagged release that gets ingested.

License
OSL-3.0, AFL-3.0

More from ioweb-gr

View vendor
ioweb-gr/m2_mariadbhotfix Free
magento2-module
v1.0.9 3mo ago
1
ioweb-gr/m2-disable-customer-address-upload Free
magento2-module
v1.0.1 5mo ago
0
Make it pay

Turn an existing module into recurring revenue.

If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.

List your module