Important: #85385 - Integrate Phar Stream Wrapper
See forge#85385
Description
In order to solve the issues mentioned in the security advisory TYPO3-SA-2018-002
a new Phar
has been integrated that intercepts all according stream actions using the phar://
stream prefix.
Phar
only allows invocation of Phar files that are located in the usual extension directory located in
typo3conf/
- Phar files stored at different locations cannot be invoked anymore.
When using Phar files in extensions PHP's __
magic constant has to be avoided
and replaced by according TYPO3 file resolving instead. This is required in order to
allow extensions being referenced using symbolic links - when __
points to
the source which is probably outside of typo3conf/
and thus denies the expected
Phar file invocation.
// ...
include_once 'phar://' . __DIR__ . '/Resources/bundle.phar/vendor/autoload.php';
// ...
has to be adjusted to the following instead, using Extension
in order to resolve the proper path
// ...
include_once 'phar://' . \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('my_extension')
. '/Resources/bundle.phar/vendor/autoload.php';
// ...