Important: #85385 - Integrate Phar Stream Wrapper

See forge#85385

Description

In order to solve the issues mentioned in the security advisory TYPO3-SA-2018-002 a new PharStreamWrapper has been integrated that intercepts all according stream actions using the phar:// stream prefix.

PharStreamWrapper only allows invocation of Phar files that are located in the usual extension directory located in typo3conf/ext/ - Phar files stored at different locations cannot be invoked anymore.

When using Phar files in extensions PHP's __DIR__ magic constant has to be avoided and replaced by according TYPO3 file resolving instead. This is required in order to allow extensions being referenced using symbolic links - when __DIR__ points to the source which is probably outside of typo3conf/ext/ and thus denies the expected Phar file invocation.

// ...
include_once 'phar://' . __DIR__ . '/Resources/bundle.phar/vendor/autoload.php';
// ...
Copied!

has to be adjusted to the following instead, using ExtensionManagementUtility::extPath() in order to resolve the proper path

// ...
include_once 'phar://' . \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('my_extension')
  . '/Resources/bundle.phar/vendor/autoload.php';
// ...
Copied!