M
PackageMaven Submit

The Home for Magento 2 Excellence

Quality-tested Magento 2 modules. Explore. Evaluate. Elevate. #magento2

726 Modules
488 Ready
233 Need Help
🏆 Leaderboard
Actively Maintained v1.0.4

PolyShell Disable File Upload

ioweb-gr/polyshell-disable-file-upload

Mitigates PolyShell-style file upload abuse by blocking file custom option uploads and restricting allowed extensions to images only. Includes a CLI command to scan and clear suspicious files from the custom_options media directory.

Security & Compliance
0
Downloads
0
GitHub Stars
2d ago
Last Release
0
Open Issues
Build Passing
Ready to install

Build Tests

Composer Install
DI Compile
Templates

Code Quality

CS Coding Standard
19 warnings
L1 PHPStan

Tested on Magento 2.4.8-p4

Recent Test History

Each release is tested against the latest Magento version at that time.

v1.0.4 on Magento 2.4.8-p4
Mar 23, 2026
GitHub Repository
Source code & docs
Packagist
Version history
Issues & Support
Get help or report bugs

Top Contributors

View Leaderboard
ioweb-gr
ioweb-gr
9 contributions

Share This Module's Status

PolyShell Disable File Upload Magento compatibility status badge

README

Loaded from GitHub

Ioweb_PolyshellDisableFileUpload

Temporary Magento 2 hardening module that mitigates PolyShell-style abuse until the store is upgraded and fully patched.

What it provides

The module includes three practical protections:

  • A hard block for file custom option uploads.
  • A narrower image-extension-only mitigation inspired by Mark Shust's workaround.
  • A CLI command to scan and optionally clear files from pub/media/custom_options.

Admin configuration

Configuration is available at:

Stores > Configuration > Security > PolyShell Protection

Disable PolyShell Uploads

When enabled, the module hard-blocks file custom option uploads:

  • REST and API-driven file custom option payloads are rejected.
  • Standard Magento file custom option validation is rejected too.

Use this if the store does not rely on file custom options at all.

Allow Only Image Extensions

When enabled, the module applies an image-only extension allowlist to the relevant Magento image upload path:

  • rejects non-image filename extensions during image content validation
  • restricts the uploader to jpg, jpeg, gif, and png

Use this if you want a narrower mitigation and still need image-only behavior.

Default configuration

For safety, both protections default to Yes.

CLI command

The module adds this command:

bin/magento ioweb:polyshell:custom-options:scan

Behavior:

  • Dry-run by default: lists files under pub/media/custom_options that would be removed.
  • Deletes only when --force is supplied.
  • Ignores .htaccess and .gitignore.

Example:

bin/magento ioweb:polyshell:custom-options:scan --force

Installation

Add the repository to your project and require the package:

composer config repositories.ioweb-polyshell-disable-file-upload vcs https://github.com/ioweb-gr/polyshell-disable-file-upload.git
composer require ioweb-gr/polyshell-disable-file-upload
bin/magento module:enable Ioweb_PolyshellDisableFileUpload
bin/magento setup:upgrade
bin/magento cache:flush

Notes

  • This module is a temporary mitigation, not a replacement for upgrading Magento.
  • Keep web server protections on /media/custom_options/ in place even with this module installed.
  • If your store genuinely uses file custom options, test carefully before enabling the hard block mode.

This content is fetched directly from the module's GitHub repository. We are not the authors of this content and take no responsibility for its accuracy, completeness, or any consequences arising from its use.

Back to All Modules