If you find a security issue in this module, please do not file a public GitHub issue. Instead, email the maintainer directly:
Include:
- A description of the vulnerability
- Steps to reproduce
- The Magento version, PHP version, and module version affected
- Any proof-of-concept code (if applicable)
We aim to acknowledge reports within 48 hours and to provide a fix or mitigation plan within 7 days for confirmed issues.
| Version | Supported |
|---|---|
| 1.1.x | ✅ Yes |
| 1.0.x | |
| < 1.0 | ❌ No |
This module:
- Reads from
ScopeConfig(admin-controlled values). - Writes the response body of
Magento\Robots\Model\Robots::getData()via a plugin. - Performs HTTP GET requests against
/robots.txton the store's own base URL (admin Validate action and CLIangeo:robots:validateonly). - Does not write to the database.
- Does not write to the filesystem.
- Does not accept input from frontend visitors.
- Does not fetch from any external URL — the runtime remote bot registry was removed in 2.0.
- Admin users are trusted to configure paths in
bot_overridescorrectly. If you do not trust your admin users, do not grant themAngeo_RobotsTxtAeo::configACL. - TLS verification is on by default for all outbound HTTP calls. The
--insecureCLI flag exists solely for local dev with self-signed certs and must not be used in production.
High signal:
- Remote code execution
- Stored XSS in admin panel
- Path traversal in bot override fields
- Cache poisoning of the served robots.txt
- ACL bypass
Out of scope:
- Self-XSS where the admin pastes JavaScript into a config field
- DoS via extreme config values (e.g., one million Disallow lines) — that's a legitimate admin choice; we won't add input size limits unless they would prevent realistic admin error.
Reporters of valid issues will be credited in the changelog unless they request anonymity.