[TASK] Document integration of PharStreamWrapper
[Packages/TYPO3.CMS.git] / typo3 / sysext / core / Documentation / Changelog / 7.6.x / Important-85385-IntegratePharStreamWrapper.rst
1 .. include:: ../../Includes.txt
2
3 =================================================
4 Important: #85385 - Integrate Phar Stream Wrapper
5 =================================================
6
7 See :issue:`85385`
8
9 Description
10 ===========
11
12 In order to solve the issues mentioned in the `security advisory TYPO3-SA-2018-002`_
13 a new `PharStreamWrapper` has been integrated that intercepts all according stream actions using the `phar://` stream prefix.
14
15 `PharStreamWrapper` only allows invocation of Phar files that are located in the usual extension directory located in
16 `typo3conf/ext/` - Phar files stored at different locations cannot be invoked anymore.
17
18 When using Phar files in extensions PHP's `__DIR__` magic constant has to be avoided
19 and replaced by according TYPO3 file resolving instead. This is required in order to
20 allow extensions being referenced using symbolic links - when `__DIR__` points to
21 the source which is probably outside of `typo3conf/ext/` and thus denies the expected
22 Phar file invocation.
23
24 .. code-block:: php
25
26 // ...
27 include_once 'phar://' . __DIR__ . '/Resources/bundle.phar/vendor/autoload.php';
28 // ...
29
30 has to be adjusted to the following instead, using `ExtensionManagementUtility::extPath()` in order to resolve the proper path
31
32 .. code-block:: php
33
34 // ...
35 include_once 'phar://' . \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('my_extension')
36 . '/Resources/bundle.phar/vendor/autoload.php';
37 // ...
38
39 .. _security advisory TYPO3-SA-2018-002: https://typo3.org/security/advisory/typo3-core-sa-2018-002/
40
41
42 .. index:: PHP-API, ext:core