Important: #85385 - Integrate Phar Stream Wrapper ¶
See Issue #85385
In order to solve the issues mentioned in the
security advisory TYPO3-SA-2018-002
has been integrated that intercepts all according stream actions using the
only allows invocation of Phar files that are located in the usual extension directory located in
- Phar files stored at different locations cannot be invoked anymore.
When using Phar files in extensions PHP’s
magic constant has to be avoided
and replaced by according TYPO3 file resolving instead. This is required in order to
allow extensions being referenced using symbolic links - when
the source which is probably outside of
and thus denies the expected
Phar file invocation.
// ... include_once 'phar://' . __DIR__ . '/Resources/bundle.phar/vendor/autoload.php'; // ...
has to be adjusted to the following instead, using
in order to resolve the proper path
// ... include_once 'phar://' . \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('my_extension') . '/Resources/bundle.phar/vendor/autoload.php'; // ...