taurus-media / module-polyshell-fix
Fix for potential exploitation in custom options called Polyshell, where a user might try to pass a 'file' value to an option that is not designed to handle files.
Maintainers
Package info
github.com/taurus-media/module-polyshell-fix
Type:magento2-module
pkg:composer/taurus-media/module-polyshell-fix
Requires
- magento/module-catalog: *
This package is auto-updated.
Last update: 2026-03-24 10:14:50 UTC
README
A Magento 2 module designed to address a potential security concern related to custom options. It ensures that custom option values are correctly validated before processing, preventing unauthorized 'file' type injections.
Description
This module introduces a before plugin for Magento\Catalog\Model\CustomOptions\CustomOption::getOptionValue().
The plugin performs the following checks:
- Option Existence: Verifies that the
option_idassociated with the request exists in the database. If the option does not exist, aLocalizedExceptionis thrown. - Type Validation: If the provided
option_valueis set to'file', it confirms that the actual custom option type in Magento is indeed'file'. If there is a mismatch (e.g., trying to pass'file'to atextordrop_downoption), aLocalizedExceptionis thrown.
This prevents potential exploitation where an attacker might try to force Magento to process a file upload for an option that was not intended to handle files.
Installation
Via Composer (if available in repository)
composer require taurus-media/module-polyshell-fix
Manual Installation
- Copy the module files to
app/code/Taurus/PolyshellFix. - Run the following Magento commands:
bin/magento module:enable Taurus_PolyshellFix bin/magento setup:upgrade bin/magento cache:flush
Features
- Security Hardening: Adds a layer of validation to product custom options.
- Strict Type Checking: Ensures data integrity for file-based custom options.
- Easy Integration: Hooks into existing Magento logic via plugins without modifying core files.