PHPackages markshust/magento2-module-polyshell-patch - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. markshust/magento2-module-polyshell-patch ActiveMagento2-module[Security](/categories/security) markshust/magento2-module-polyshell-patch ========================================= The PolyshellPatch module mitigates the PolyShell vulnerability (APSB25-94) — an unrestricted file upload in the Magento REST API that allows attackers to upload executable files via cart item custom option file uploads. 1.0.0(1mo ago)28483↑2645.3%4MITPHPPHP ^8.1 Since Mar 24Pushed 1mo ago4 watchersCompare [ Source](https://github.com/markshust/magento-polyshell-patch)[ Packagist](https://packagist.org/packages/markshust/magento2-module-polyshell-patch)[ RSS](/packages/markshust-magento2-module-polyshell-patch/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (2)Versions (2)Used By (0) MarkShust\_PolyshellPatch ========================= [](#markshust_polyshellpatch) Mitigates the PolyShell vulnerability (APSB25-94) — an unrestricted file upload in the Magento REST API that allows attackers to upload executable files via cart item custom option file uploads. What this module does --------------------- [](#what-this-module-does) Two plugins enforce an image-only extension allowlist (`jpg`, `jpeg`, `gif`, `png`): 1. **ImageContentValidatorExtension** — rejects filenames with non-image extensions before the file is written to disk. 2. **ImageProcessorRestrictExtensions** — calls `setAllowedExtensions()` on the `Uploader` so the framework's own extension check blocks dangerous files as a second layer. Installation ------------ [](#installation) ``` composer require markshust/magento2-module-polyshell-patch bin/magento module:enable MarkShust_PolyshellPatch bin/magento setup:upgrade bin/magento cache:flush ``` Web server hardening (required for production) ---------------------------------------------- [](#web-server-hardening-required-for-production) The module blocks uploads at the application layer, but defense-in-depth requires blocking execution/access at the web server level too. Apply the appropriate config below. ### Nginx [](#nginx) Add this **before** any `location ~ \.php$` block to prevent it from taking priority: ``` location ^~ /media/custom_options/ { deny all; return 403; } ``` Verify the order matters — nginx processes `^~` prefix matches before regex matches, so this ensures `.php` files in this directory are never passed to FastCGI. Reload after applying: ``` nginx -t && nginx -s reload ``` ### Apache [](#apache) Verify that `pub/media/custom_options/.htaccess` exists and contains: ``` order deny,allow deny from all = 2.4> Require all denied ``` Also confirm that `AllowOverride All` is set for your document root so `.htaccess` files are honored. Scan for existing compromise ---------------------------- [](#scan-for-existing-compromise) Check whether any files have already been uploaded to the custom\_options directory: ``` find pub/media/custom_options/ -type f ! -name '.htaccess' ``` If any files are found (especially `.php`, `.phtml`, or `.phar`), investigate immediately — they may be webshells. When to remove this module -------------------------- [](#when-to-remove-this-module) This module is an interim hotfix. Remove it once Adobe backports the official patch to production Magento versions (2.4.8-p4 or later). To remove: ``` bin/magento module:disable MarkShust_PolyshellPatch bin/magento setup:upgrade rm -rf app/code/MarkShust/PolyshellPatch bin/magento cache:flush ``` Why this module is intentionally minimal ---------------------------------------- [](#why-this-module-is-intentionally-minimal) Adobe's [official fix](https://github.com/magento/magento2/commit/796c4ce195cee0814ac92e5a19fc2ecfa79dae69) spans 18 files (+997 lines) across `Magento_Catalog`, `Magento_Quote`, and the framework. It introduces a new `ImageContentProcessor`, a `CartItemValidatorChain` at the Repository layer, an `ImageContentUploaderInterface`, and API-scoped DI configuration. We intentionally did not replicate that approach because: - **It modifies core module internals.** The official patch alters constructors, adds dependencies to `CustomOptionProcessor` and `Repository`, and introduces new interfaces — changes that are tightly coupled to specific Magento versions and could conflict with the official patch when it ships. - **A minimal allowlist is sufficient to block the exploit.** The vulnerability is that any file extension is accepted. Our two plugins enforce a strict image-only allowlist (`jpg`, `jpeg`, `gif`, `png`) at both the validator and uploader level. This is actually stricter than the official fix, which uses a denylist approach (`NotProtectedExtension`) that rejects known-dangerous extensions. - **Lower risk of side effects.** A small, self-contained module with two plugins is easy to audit, test, and remove cleanly — which is exactly what you want from a temporary hotfix. References ---------- [](#references) - [Sansec: Magento PolyShell](https://sansec.io/research/magento-polyshell) - [Adobe official fix (commit)](https://github.com/magento/magento2/commit/796c4ce195cee0814ac92e5a19fc2ecfa79dae69) - Adobe Security Bulletin: APSB25-94 - Patched in Magento 2.4.9-alpha3+ (pre-release only, no production patch available) Credits ------- [](#credits) ### M.academy [](#macademy) This module is sponsored by [M.academy](https://m.academy), the simplest way to learn Magento. ### Health Score 48 — FairBetter than 94% of packages Maintenance98 Actively maintained with recent releases Popularity30 Limited adoption so far Community11 Small or concentrated contributor base Maturity42 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 46d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/e1ee75bbeb9e6e4e83769c56197973d49f1dec7e509da22f7eb42c16fddf1012?d=identicon)[markshust](/maintainers/markshust) --- Top Contributors [![markshust](https://avatars.githubusercontent.com/u/437029?v=4)](https://github.com/markshust "markshust (4 commits)") ### Embed Badge ![Health badge](/badges/markshust-magento2-module-polyshell-patch/health.svg) ``` [![Health](https://phpackages.com/badges/markshust-magento2-module-polyshell-patch/health.svg)](https://phpackages.com/packages/markshust-magento2-module-polyshell-patch) ``` ### Alternatives [veriteworks/cookiefix Magento2 extension for Cookie SameSite attribute. 65455.3k1](/packages/veriteworks-cookiefix)[imi/magento2-friendly-captcha Friendly Captcha integration for Magento2 18116.2k](/packages/imi-magento2-friendly-captcha)[basecom/magento2-csp-split-header Magento 2 module to split oversized CSP headers into multiple headers. 5256.6k](/packages/basecom-magento2-csp-split-header)[pixelopen/magento-cloudflare-turnstile Protect your store from spam messages and spam user accounts with Cloudflare Turnstile 5325.4k1](/packages/pixelopen-magento-cloudflare-turnstile)[yireo/magento2-csp-whitelist-inline-js Magento module to automatically add inline JS script to CSP whitelist 2974.7k](/packages/yireo-magento2-csp-whitelist-inline-js)[sansec/magento2-module-shield 14111.8k](/packages/sansec-magento2-module-shield) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)