qoliber/magento-open-source-security
Composer 安装命令:
composer require qoliber/magento-open-source-security
包简介
Magento 2 security modules for Qoliber open source patches and fixes.
关键字:
README 文档
README
Security hardening package for Magento Open Source and Adobe Commerce.
This package contains two Magento 2 modules:
Qoliber_PolyshellPatchQoliber_SessionReaperFix
Both modules are intended as defensive mitigations. They deliberately disable specific upload flows that can be abused.
What It Fixes
PolyShell
Qoliber_PolyshellPatch blocks file-type custom option uploads through the Web API product option flow.
This is intended as a mitigation for the vulnerability commonly referred to as PolyShell and associated with Adobe bulletin APSB25-94.
Security tradeoff:
- file-type custom option uploads through this API path are disabled
- integrations relying on that upload behavior will stop working until a vendor patch or a different safe implementation is used
SessionReaper
Qoliber_SessionReaperFix overrides the frontend customer address file upload controller and returns 404 Not Found.
This closes unauthorized uploads to the customer address media directory.
Important note:
- the original
SessionReaperissue is already addressed by released Adobe / Magento patches - however, those patches still allow unauthorized upload attempts to the
customer_addressmedia directory - this module hard-disables that upload endpoint as an additional security measure
Security tradeoff:
- customer address file uploads are disabled
- any storefront functionality depending on customer address file attachments will no longer work
Installation
Install the package with Composer in your Magento project:
composer require qoliber/magento-open-source-security
Then apply Magento setup changes:
bin/magento setup:upgrade bin/magento cache:flush
Warnings
- This package is intentionally restrictive.
- It is designed to reduce attack surface, not to preserve all original upload features.
- Review business flows and third-party integrations before enabling it in production.
- If you depend on file uploads in custom options or customer address flows, test those paths explicitly after installation.
Package Contents
src/polyshell-patch-moduleprovidesQoliber_PolyshellPatchsrc/session-reaper-fix-moduleprovidesQoliber_SessionReaperFix
License
MIT
qoliber/magento-open-source-security 适用场景与选型建议
qoliber/magento-open-source-security 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 49 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 04 月 03 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「module」 「magento」 「patch」 「magento2」 「hotfix」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 qoliber/magento-open-source-security 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 qoliber/magento-open-source-security 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 qoliber/magento-open-source-security 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
Contao CMS integrity check for some files
Magento 2 Social Login extension is designed for quick login to your Magento 2 store without procesing complex register steps
Magento - Clean up session extension
bootstrap select field module implementing http://silviomoreto.github.io/bootstrap-select/
统计信息
- 总下载量: 49
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 44
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-04-03