Hi 👋
First of all, thanks for publishing this lightweight patch — it’s very helpful as a temporary mitigation.
I noticed that the allowed file extensions are currently hardcoded to:
jpg, jpeg, gif, png
I’d like to propose adding an optional way to configure this allowlist while keeping the current secure defaults unchanged.
Proposal
- Keep the default behavior exactly as-is (jpg, jpeg, gif, png)
- Add an optional override (e.g. via app/etc/env.php)
- Use a single shared provider class to avoid duplicating logic across plugins
- If no config is provided, fallback to the current defaults
Example
app/etc/env.php:
'polyshell_patch' => [
'allowed_extensions' => 'jpg,jpeg,gif,png,pdf'
]
Rationale
- Some people may need to allow additional safe formats (e.g. pdf)
- Avoids forcing users to fork the module
- Keeps the patch minimal and secure by default
- Does not change behavior for existing users
Security note
The documentation would clearly mention that expanding the allowlist reduces the strictness of the mitigation.
If this approach sounds acceptable, I’d be happy to open a PR with a minimal implementation.
Thanks!
Hi 👋
First of all, thanks for publishing this lightweight patch — it’s very helpful as a temporary mitigation.
I noticed that the allowed file extensions are currently hardcoded to:
jpg, jpeg, gif, png
I’d like to propose adding an optional way to configure this allowlist while keeping the current secure defaults unchanged.
Proposal
Example
app/etc/env.php:Rationale
Security note
The documentation would clearly mention that expanding the allowlist reduces the strictness of the mitigation.
If this approach sounds acceptable, I’d be happy to open a PR with a minimal implementation.
Thanks!