PHPackages markshust/magento2-module-polyshell-patch - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. markshust/magento2-module-polyshell-patch Abandoned → [aregowe/magento2-module-polyshell-protection](/?search=aregowe%2Fmagento2-module-polyshell-protection)Magento2-module[Security](/categories/security) markshust/magento2-module-polyshell-patch ========================================= The PolyshellPatch module mitigates the PolyShell vulnerability (APSB25-94) — an unrestricted file upload in the Magento REST API that allows attackers to upload executable files via cart item custom option file uploads. 1.0.0(3mo ago)6451.8k↑30.9%12[7 issues](https://github.com/markshust/magento-polyshell-patch/issues)[4 PRs](https://github.com/markshust/magento-polyshell-patch/pulls)MITPHPPHP ^8.1 Since Mar 24Pushed 2mo ago6 watchersCompare [ Source](https://github.com/markshust/magento-polyshell-patch)[ Packagist](https://packagist.org/packages/markshust/magento2-module-polyshell-patch)[ RSS](/packages/markshust-magento2-module-polyshell-patch/feed)WikiDiscussions main Synced 3w ago READMEChangelogDependencies (2)Versions (3)Used By (0) MarkShust\_PolyshellPatch ========================= [](#markshust_polyshellpatch) Mitigates the PolyShell vulnerability — an unrestricted file upload in the Magento REST API that allows attackers to upload executable files via cart item custom option file uploads. --- !! DEPRECATED — DO NOT USE !! ----------------------------- [](#-deprecated--do-not-use-) **This package has been deprecated and abandoned in favor of [`aregowe/magento2-module-polyshell-protection`](https://github.com/aregowe/magento2-module-polyshell-protection).** That module integrates all of this module's protection and extends it significantly with: - Polyglot file scanning (detects valid images with embedded PHP) - No-extension and double-extension attack detection - Multi-pass URL decoding and obfuscation normalization - Known attack filename/pattern matching - Request path blocking at the FrontController and `pub/get.php` level - Controller-level upload blocking for customer attribute and file upload endpoints - A kill switch blocking all custom option file uploads via the Webapi File Processor ### Migration [](#migration) If you currently have this module installed, migrate with: ``` bin/magento module:disable MarkShust_PolyshellPatch bin/magento setup:upgrade composer require aregowe/magento2-module-polyshell-protection bin/magento module:enable Aregowe_PolyShellProtection bin/magento setup:upgrade bin/magento cache:flush ``` The replacement package includes a Composer `replace` directive for `markshust/magento2-module-polyshell-patch`, so Composer will handle the transition automatically. --- > **The following documentation is preserved for reference only.** This module is no longer maintained. If you choose to use it anyway, it will still block the basic exploit, but the replacement module above provides far more comprehensive protection. What this module does --------------------- [](#what-this-module-does) Two plugins enforce an image-only extension allowlist (`jpg`, `jpeg`, `gif`, `png`): 1. **ImageContentValidatorExtension** — rejects filenames with non-image extensions before the file is written to disk. 2. **ImageProcessorRestrictExtensions** — calls `setAllowedExtensions()` on the `Uploader` so the framework's own extension check blocks dangerous files as a second layer. Installation ------------ [](#installation) ``` composer require markshust/magento2-module-polyshell-patch bin/magento module:enable MarkShust_PolyshellPatch bin/magento setup:upgrade bin/magento cache:flush ``` Web server hardening (required for production) ---------------------------------------------- [](#web-server-hardening-required-for-production) The module blocks uploads at the application layer, but defense-in-depth requires blocking execution/access at the web server level too. Apply the appropriate config below. ### Nginx [](#nginx) Add this **before** any `location ~ \.php$` block to prevent it from taking priority: ``` location ^~ /media/custom_options/ { deny all; return 403; } ``` Verify the order matters — nginx processes `^~` prefix matches before regex matches, so this ensures `.php` files in this directory are never passed to FastCGI. Reload after applying: ``` nginx -t && nginx -s reload ``` ### Apache [](#apache) Verify that `pub/media/custom_options/.htaccess` exists and contains: ``` order deny,allow deny from all = 2.4> Require all denied ``` Also confirm that `AllowOverride All` is set for your document root so `.htaccess` files are honored. Scan for existing compromise ---------------------------- [](#scan-for-existing-compromise) Check whether any files have already been uploaded to the custom\_options directory: ``` find pub/media/custom_options/ -type f ! -name '.htaccess' ``` If any files are found (especially `.php`, `.phtml`, or `.phar`), investigate immediately — they may be webshells. When to remove this module -------------------------- [](#when-to-remove-this-module) This module is an interim hotfix. Remove it once Adobe backports the official patch to production Magento versions (2.4.8-p4 or later). To remove: If you have installed it manually: ``` bin/magento module:disable MarkShust_PolyshellPatch bin/magento setup:upgrade rm -rf app/code/MarkShust/PolyshellPatch bin/magento cache:flush ``` If you have installed it by composer: ``` bin/magento module:disable MarkShust_PolyshellPatch bin/magento setup:upgrade composer remove markshust/magento2-module-polyshell-patch bin/magento cache:flush ``` Why this module is intentionally minimal ---------------------------------------- [](#why-this-module-is-intentionally-minimal) Adobe's [official fix](https://github.com/magento/magento2/commit/796c4ce195cee0814ac92e5a19fc2ecfa79dae69) spans 18 files (+997 lines) across `Magento_Catalog`, `Magento_Quote`, and the framework. It introduces a new `ImageContentProcessor`, a `CartItemValidatorChain` at the Repository layer, an `ImageContentUploaderInterface`, and API-scoped DI configuration. We intentionally did not replicate that approach because: - **It modifies core module internals.** The official patch alters constructors, adds dependencies to `CustomOptionProcessor` and `Repository`, and introduces new interfaces — changes that are tightly coupled to specific Magento versions and could conflict with the official patch when it ships. - **A minimal allowlist is sufficient to block the exploit.** The vulnerability is that any file extension is accepted. Our two plugins enforce a strict image-only allowlist (`jpg`, `jpeg`, `gif`, `png`) at both the validator and uploader level. This is actually stricter than the official fix, which uses a denylist approach (`NotProtectedExtension`) that rejects known-dangerous extensions. - **Lower risk of side effects.** A small, self-contained module with two plugins is easy to audit, test, and remove cleanly — which is exactly what you want from a temporary hotfix. References ---------- [](#references) - [Sansec: Magento PolyShell](https://sansec.io/research/magento-polyshell) - [Adobe official fix (commit)](https://github.com/magento/magento2/commit/796c4ce195cee0814ac92e5a19fc2ecfa79dae69) - Adobe Security Bulletin: APSB25-94 - Patched in Magento 2.4.9-alpha3+ (pre-release only, no production patch available) Credits ------- [](#credits) ### M.academy [](#macademy) This module is sponsored by [M.academy](https://m.academy), the simplest way to learn Magento. ### Health Score 50 — FairBetter than 95% of packages Maintenance82 Actively maintained with recent releases Popularity46 Moderate usage in the ecosystem Community15 Small or concentrated contributor base Maturity44 Maturing project, gaining track record Bus Factor1 Top contributor holds 88.9% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 91d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/437029?v=4)[Mark Shust](/maintainers/markshust)[@markshust](https://github.com/markshust) --- Top Contributors [![markshust](https://avatars.githubusercontent.com/u/437029?v=4)](https://github.com/markshust "markshust (8 commits)")[![WaPoNe](https://avatars.githubusercontent.com/u/11091926?v=4)](https://github.com/WaPoNe "WaPoNe (1 commits)") ### Embed Badge ![Health badge](/badges/markshust-magento2-module-polyshell-patch/health.svg) ``` [![Health](https://phpackages.com/badges/markshust-magento2-module-polyshell-patch/health.svg)](https://phpackages.com/packages/markshust-magento2-module-polyshell-patch) ``` ### Alternatives [imi/magento2-friendly-captcha Friendly Captcha integration for Magento2 19125.8k](/packages/imi-magento2-friendly-captcha)[sansec/magento2-module-shield 15164.3k](/packages/sansec-magento2-module-shield)[pixelopen/magento-cloudflare-turnstile Protect your store from spam messages and spam user accounts with Cloudflare Turnstile 5428.8k1](/packages/pixelopen-magento-cloudflare-turnstile)[yireo/magento2-csp-whitelist-inline-js Magento module to automatically add inline JS script to CSP whitelist 2981.2k](/packages/yireo-magento2-csp-whitelist-inline-js)[hryvinskyi/magento2-csp Advanced Content Security Policy (CSP) module for Magento 2 with whitelist management, violation reports, header splitting, and value optimization 113.6k](/packages/hryvinskyi-magento2-csp)[loki/magento2-components Core module for defining Alpine.js components with advanced AJAX features 1010.0k22](/packages/loki-magento2-components) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)