PHPackages ioweb-gr/polyshell-disable-file-upload - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. ioweb-gr/polyshell-disable-file-upload ActiveMagento2-module[Security](/categories/security) ioweb-gr/polyshell-disable-file-upload ====================================== Magento 2 module that disables file custom option uploads as a temporary PolyShell mitigation. 1.0.5(1mo ago)041↑2607.3%OSL-3.0PHPPHP >=7.4 Since Mar 23Pushed 1mo agoCompare [ Source](https://github.com/ioweb-gr/polyshell-disable-file-upload)[ Packagist](https://packagist.org/packages/ioweb-gr/polyshell-disable-file-upload)[ RSS](/packages/ioweb-gr-polyshell-disable-file-upload/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (2)DependenciesVersions (3)Used By (0) Ioweb\_PolyshellDisableFileUpload ================================= [](#ioweb_polyshelldisablefileupload) Temporary Magento 2 hardening module that mitigates PolyShell-style abuse until the store is upgraded and fully patched. What it provides ---------------- [](#what-it-provides) The module includes three practical protections: - A hard block for file custom option uploads. - A narrower image-extension-only mitigation inspired by [Mark Shust's workaround](https://github.com/markshust/magento-polyshell-patch). - A CLI command to scan and optionally clear files from `pub/media/custom_options`. Admin configuration ------------------- [](#admin-configuration) Configuration is available at: `Stores > Configuration > Security > PolyShell Protection` ### Disable PolyShell Uploads [](#disable-polyshell-uploads) When enabled, the module hard-blocks file custom option uploads: - REST and API-driven file custom option payloads are rejected. - Standard Magento file custom option validation is rejected too. Use this if the store does not rely on file custom options at all. ### Allow Only Image Extensions [](#allow-only-image-extensions) When enabled, the module applies an image-only extension allowlist to the relevant Magento image upload path: - rejects non-image filename extensions during image content validation - restricts the uploader to `jpg`, `jpeg`, `gif`, and `png` Use this if you want a narrower mitigation and still need image-only behavior. Default configuration --------------------- [](#default-configuration) For safety, both protections default to `Yes`. CLI command ----------- [](#cli-command) The module adds this command: ``` bin/magento ioweb:polyshell:custom-options:scan ``` Behavior: - Dry-run by default: lists files under `pub/media/custom_options` that would be removed. - Deletes only when `--force` is supplied. - Ignores `.htaccess` and `.gitignore`. Example: ``` bin/magento ioweb:polyshell:custom-options:scan --force ``` Installation ------------ [](#installation) Add the repository to your project and require the package: ``` composer config repositories.ioweb-polyshell-disable-file-upload vcs https://github.com/ioweb-gr/polyshell-disable-file-upload.git composer require ioweb-gr/polyshell-disable-file-upload bin/magento module:enable Ioweb_PolyshellDisableFileUpload bin/magento setup:upgrade bin/magento cache:flush ``` Notes ----- [](#notes) - This module is a temporary mitigation, not a replacement for upgrading Magento. - Keep web server protections on `/media/custom_options/` in place even with this module installed. - If your store genuinely uses file custom options, test carefully before enabling the hard block mode. ### Health Score 39 — LowBetter than 85% of packages Maintenance97 Actively maintained with recent releases Popularity11 Limited adoption so far Community6 Small or concentrated contributor base Maturity34 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 2 Last Release 47d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/20220341?v=4)[IOWEB TECHNOLOGIES](/maintainers/ioweb-gr)[@ioweb-gr](https://github.com/ioweb-gr) --- Top Contributors [![ioweb-gr](https://avatars.githubusercontent.com/u/20220341?v=4)](https://github.com/ioweb-gr "ioweb-gr (15 commits)") ### Embed Badge ![Health badge](/badges/ioweb-gr-polyshell-disable-file-upload/health.svg) ``` [![Health](https://phpackages.com/badges/ioweb-gr-polyshell-disable-file-upload/health.svg)](https://phpackages.com/packages/ioweb-gr-polyshell-disable-file-upload) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M212](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M112](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)