[TASK] Document integration of PharStreamWrapper 10/57710/2
authorOliver Hader <oliver@typo3.org>
Fri, 27 Jul 2018 12:28:02 +0000 (14:28 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Sun, 29 Jul 2018 09:27:31 +0000 (11:27 +0200)
Resolves: #85658
Releases: master, 8.7, 7.6
Change-Id: I6acdc235dff4b3c0c84a8a6d762d497f8d9664cc
Reviewed-on: https://review.typo3.org/57701
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-on: https://review.typo3.org/57710

typo3/sysext/core/Documentation/Changelog/7.6.x/Important-85385-IntegratePharStreamWrapper.rst [new file with mode: 0644]
typo3/sysext/core/Documentation/Changelog/8.7.x/Important-85385-IntegratePharStreamWrapper.rst [new file with mode: 0644]

diff --git a/typo3/sysext/core/Documentation/Changelog/7.6.x/Important-85385-IntegratePharStreamWrapper.rst b/typo3/sysext/core/Documentation/Changelog/7.6.x/Important-85385-IntegratePharStreamWrapper.rst
new file mode 100644 (file)
index 0000000..7d8b062
--- /dev/null
@@ -0,0 +1,42 @@
+.. include:: ../../Includes.txt
+
+=================================================
+Important: #85385 - Integrate Phar Stream Wrapper
+=================================================
+
+See :issue:`85385`
+
+Description
+===========
+
+In order to solve the issues mentioned in the `security advisory TYPO3-SA-2018-002`_
+a new `PharStreamWrapper` has been integrated that intercepts all according stream actions using the `phar://` stream prefix.
+
+`PharStreamWrapper` only allows invocation of Phar files that are located in the usual extension directory located in
+`typo3conf/ext/` - Phar files stored at different locations cannot be invoked anymore.
+
+When using Phar files in extensions PHP's `__DIR__` magic constant has to be avoided
+and replaced by according TYPO3 file resolving instead. This is required in order to
+allow extensions being referenced using symbolic links - when `__DIR__` points to
+the source which is probably outside of `typo3conf/ext/` and thus denies the expected
+Phar file invocation.
+
+.. code-block:: php
+
+   // ...
+   include_once 'phar://' . __DIR__ . '/Resources/bundle.phar/vendor/autoload.php';
+   // ...
+
+has to be adjusted to the following instead, using `ExtensionManagementUtility::extPath()` in order to resolve the proper path
+
+.. code-block:: php
+
+   // ...
+   include_once 'phar://' . \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('my_extension')
+     . '/Resources/bundle.phar/vendor/autoload.php';
+   // ...
+
+.. _security advisory TYPO3-SA-2018-002: https://typo3.org/security/advisory/typo3-core-sa-2018-002/
+
+
+.. index:: PHP-API, ext:core
diff --git a/typo3/sysext/core/Documentation/Changelog/8.7.x/Important-85385-IntegratePharStreamWrapper.rst b/typo3/sysext/core/Documentation/Changelog/8.7.x/Important-85385-IntegratePharStreamWrapper.rst
new file mode 100644 (file)
index 0000000..7d8b062
--- /dev/null
@@ -0,0 +1,42 @@
+.. include:: ../../Includes.txt
+
+=================================================
+Important: #85385 - Integrate Phar Stream Wrapper
+=================================================
+
+See :issue:`85385`
+
+Description
+===========
+
+In order to solve the issues mentioned in the `security advisory TYPO3-SA-2018-002`_
+a new `PharStreamWrapper` has been integrated that intercepts all according stream actions using the `phar://` stream prefix.
+
+`PharStreamWrapper` only allows invocation of Phar files that are located in the usual extension directory located in
+`typo3conf/ext/` - Phar files stored at different locations cannot be invoked anymore.
+
+When using Phar files in extensions PHP's `__DIR__` magic constant has to be avoided
+and replaced by according TYPO3 file resolving instead. This is required in order to
+allow extensions being referenced using symbolic links - when `__DIR__` points to
+the source which is probably outside of `typo3conf/ext/` and thus denies the expected
+Phar file invocation.
+
+.. code-block:: php
+
+   // ...
+   include_once 'phar://' . __DIR__ . '/Resources/bundle.phar/vendor/autoload.php';
+   // ...
+
+has to be adjusted to the following instead, using `ExtensionManagementUtility::extPath()` in order to resolve the proper path
+
+.. code-block:: php
+
+   // ...
+   include_once 'phar://' . \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('my_extension')
+     . '/Resources/bundle.phar/vendor/autoload.php';
+   // ...
+
+.. _security advisory TYPO3-SA-2018-002: https://typo3.org/security/advisory/typo3-core-sa-2018-002/
+
+
+.. index:: PHP-API, ext:core