From 86c2b149d9ff43d951831cfbc5f15aa58d96444a Mon Sep 17 00:00:00 2001 From: Jonas Elfering Date: Wed, 14 Jan 2026 09:35:19 +0100 Subject: [PATCH 1/3] Add security docs for media upload by url --- resources/references/security.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/resources/references/security.md b/resources/references/security.md index a46d60fff..e24e22a96 100644 --- a/resources/references/security.md +++ b/resources/references/security.md @@ -37,6 +37,12 @@ The default policies are configured over the `shopware.security.csp_templates` s Shopware 6 stores and processes a wide variety of files. This goes from product images or videos to generated documents such as invoices or delivery notes. This data should be stored securely, and backups should be generated regularly. For more information, refer to [File system](../../guides/hosting/infrastructure/filesystem) +## Media upload by URL + +Shopware offers a convenience feature to allow media file uploads by directly providing a URL pointing to a third party location containing that file. +By default, shopware validates the URL to ensure that it points to a publicly accessible resource; this prevents attacks where internal networking information might be leaked. You can disable this validation by toggling the `shopware.media.enable_url_validation` to false. +However, there is still some security risk in this approach, as your shopware server does make a request to the external URL and therefore discloses some information about itself (e.g. IP address or user agent). If this is a concern to you, you can disable the whole URL upload feature by setting `shopware.media.enable_url_upload_feature = false`. + ## GDPR compliance General Data Protection Regulation (GDPR) is a comprehensive European Union (EU) regulation that enhances individuals' privacy rights by imposing strict rules on how organizations collect, process, and protect personal data. For more information, refer to [GDPR](https://docs.shopware.com/en/shopware-6-en/tutorials-and-faq/gdpr) guide. From f5d50545e62a973889924d21e0392dc072ae8f04 Mon Sep 17 00:00:00 2001 From: Jonas Elfering Date: Wed, 14 Jan 2026 09:47:43 +0100 Subject: [PATCH 2/3] Update resources/references/security.md Co-authored-by: Shyim --- resources/references/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/references/security.md b/resources/references/security.md index e24e22a96..356e4ce27 100644 --- a/resources/references/security.md +++ b/resources/references/security.md @@ -40,7 +40,7 @@ Shopware 6 stores and processes a wide variety of files. This goes from product ## Media upload by URL Shopware offers a convenience feature to allow media file uploads by directly providing a URL pointing to a third party location containing that file. -By default, shopware validates the URL to ensure that it points to a publicly accessible resource; this prevents attacks where internal networking information might be leaked. You can disable this validation by toggling the `shopware.media.enable_url_validation` to false. +By default, Shopware validates the URL to ensure that it points to a publicly accessible resource; this prevents attacks where internal networking information might be leaked. You can disable this validation by toggling the `shopware.media.enable_url_validation` to false. However, there is still some security risk in this approach, as your shopware server does make a request to the external URL and therefore discloses some information about itself (e.g. IP address or user agent). If this is a concern to you, you can disable the whole URL upload feature by setting `shopware.media.enable_url_upload_feature = false`. ## GDPR compliance From 0c11830176d500f3a25e2cd1e34acc0ae39d76d5 Mon Sep 17 00:00:00 2001 From: Jonas Elfering Date: Wed, 14 Jan 2026 13:10:22 +0100 Subject: [PATCH 3/3] Update resources/references/security.md Co-authored-by: Michael Telgmann --- resources/references/security.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/resources/references/security.md b/resources/references/security.md index 356e4ce27..7088b4e2a 100644 --- a/resources/references/security.md +++ b/resources/references/security.md @@ -41,7 +41,8 @@ Shopware 6 stores and processes a wide variety of files. This goes from product Shopware offers a convenience feature to allow media file uploads by directly providing a URL pointing to a third party location containing that file. By default, Shopware validates the URL to ensure that it points to a publicly accessible resource; this prevents attacks where internal networking information might be leaked. You can disable this validation by toggling the `shopware.media.enable_url_validation` to false. -However, there is still some security risk in this approach, as your shopware server does make a request to the external URL and therefore discloses some information about itself (e.g. IP address or user agent). If this is a concern to you, you can disable the whole URL upload feature by setting `shopware.media.enable_url_upload_feature = false`. +However, there is still some security risk in this approach, as your Shopware server makes a request to the external URL and therefore discloses some information about itself (e.g. IP address or user agent). +If this is a concern to you, you can disable the whole URL upload feature by setting `shopware.media.enable_url_upload_feature = false`. ## GDPR compliance