PolyShell (CVE-2025-54236)

## Description

A known vulnerability in Magento allows attackers to upload malicious files through the custom options file upload feature. These files are stored in the `/media/custom_options/` directory and can potentially be executed directly via the web server, leading to remote code execution. This patch blocks public access to that path at the NGINX level. See [CVE-2025-54236](https://nvd.nist.gov/vuln/detail/CVE-2025-54236) for more details.

## Impact

There is no downtime expected from this change. NGINX will be reloaded on all web nodes after the configuration is applied.

## Changes

- Drops an NGINX configuration file (`00-polyshell-mitigation.conf`) into each Magento site's `conf.d` directory that denies all access to `/media/custom_options/`.
- Copies the same configuration into the vhost template directory so that any new sites provisioned in the future will also include the mitigation.
- Tests the NGINX configuration and reloads NGINX on all web nodes.

## If You Accept

All public access to `/media/custom_options/` will be blocked at the NGINX level, protecting your store from this attack vector. New sites created after the patch will also include the mitigation automatically.

## If You Reject

The `/media/custom_options/` path will remain publicly accessible, leaving your store vulnerable to potential remote code execution via malicious file uploads.