Download the PHP package qoliber/magento-open-source-security without Composer
On this page you can find all versions of the php package qoliber/magento-open-source-security. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download qoliber/magento-open-source-security
More information about qoliber/magento-open-source-security
Files in qoliber/magento-open-source-security
Package magento-open-source-security
Short Description Magento 2 security modules for Qoliber open source patches and fixes.
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package magento-open-source-security
Qoliber Magento Open Source Security
Security hardening package for Magento Open Source and Adobe Commerce.
This package contains two Magento 2 modules:
Qoliber_PolyshellPatchQoliber_SessionReaperFix
Both modules are intended as defensive mitigations. They deliberately disable specific upload flows that can be abused.
What It Fixes
PolyShell
Qoliber_PolyshellPatch blocks file-type custom option uploads through the Web API product option flow.
This is intended as a mitigation for the vulnerability commonly referred to as PolyShell and associated with Adobe bulletin APSB25-94.
Security tradeoff:
- file-type custom option uploads through this API path are disabled
- integrations relying on that upload behavior will stop working until a vendor patch or a different safe implementation is used
SessionReaper
Qoliber_SessionReaperFix overrides the frontend customer address file upload controller and returns 404 Not Found.
This closes unauthorized uploads to the customer address media directory.
Important note:
- the original
SessionReaperissue is already addressed by released Adobe / Magento patches - however, those patches still allow unauthorized upload attempts to the
customer_addressmedia directory - this module hard-disables that upload endpoint as an additional security measure
Security tradeoff:
- customer address file uploads are disabled
- any storefront functionality depending on customer address file attachments will no longer work
Installation
Install the package with Composer in your Magento project:
Then apply Magento setup changes:
Warnings
- This package is intentionally restrictive.
- It is designed to reduce attack surface, not to preserve all original upload features.
- Review business flows and third-party integrations before enabling it in production.
- If you depend on file uploads in custom options or customer address flows, test those paths explicitly after installation.
Package Contents
src/polyshell-patch-moduleprovidesQoliber_PolyshellPatchsrc/session-reaper-fix-moduleprovidesQoliber_SessionReaperFix
License
MIT
