Webserver .phar handling lands in distributions

Three years ago I described how to configure your web server to handle .phar files. Installing PHP applications is then as simple as copying a single file onto your server.

In the last couple of weeks I talked to the Debian and Fedora PHP package maintainers and they patched their packages to add support for .phar. Unfortunately I was a little bit late, which means that neither Debian 9 nor Fedora 26 will contain the patches.

Fedora 27 (ETA: end of 2017) and Debian 10 (ETA: 2019) will natively support .phar files in Nginx and Apache. If you use Ondřej Surý's PHP 7.1 package repository then you'll have support for .phar files already today.

Security

One topic that popped up during discussion was security. Some web applications like TYPO3 and Wordpress allow file uploads. At least Fedora configures the Wordpress upload folder so that .php files in it are not executed by PHP at all.

In the future, this also needs to be done for .phar files.

PHP's web phar handler Phar::webPhar() only handled HTTP GET and POST requests - all other HTTP methods were seen as non-HTTP internally and were forwarded to the command line handler.

I made a patch for that and got it included into PHP 7.0 and 7.1, which means that PHP bug #51918 is gone for PHP 7.0.20 and PHP 7.1.6!

Written by Christian Weiske.

Comments? Please send an e-mail.