Important: #85385 - Integrate Phar Stream Wrapper¶
In order to solve the issues mentioned in the security advisory TYPO3-SA-2018-002
PharStreamWrapper has been integrated that intercepts all according stream actions using the
phar:// stream prefix.
PharStreamWrapper only allows invocation of Phar files that are located in the usual extension directory located in
typo3conf/ext/ - Phar files stored at different locations cannot be invoked anymore.
When using Phar files in extensions PHP's
__DIR__ magic constant has to be avoided
and replaced by according TYPO3 file resolving instead. This is required in order to
allow extensions being referenced using symbolic links - when
__DIR__ points to
the source which is probably outside of
typo3conf/ext/ and thus denies the expected
Phar file invocation.
// ... include_once 'phar://' . __DIR__ . '/Resources/bundle.phar/vendor/autoload.php'; // ...
has to be adjusted to the following instead, using
ExtensionManagementUtility::extPath() in order to resolve the proper path
// ... include_once 'phar://' . \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('my_extension') . '/Resources/bundle.phar/vendor/autoload.php'; // ...