← Back to glossary

PHAR Archives & Packaging

php PHP 5.2+ Advanced

Also Known As

PHP Archive PHAR format PHP phar

TL;DR

PHP's native archive format for self-contained distributable applications — like a JAR file for Java — with a bootstrap stub and compressed contents.

Explanation

A PHAR (PHP Archive) bundles PHP code, assets, and metadata into a single file. The stub bootstraps execution. PHARs are used by Composer (composer.phar), PHPUnit, and many CLI tools — run with php tool.phar, required, or accessed via the phar:// stream wrapper. Creating PHARs requires phar.readonly=0 in php.ini. Critical security note: PHAR metadata is deserialized on any file operation using a phar:// URI — enabling PHAR injection attacks without a direct unserialize() call. Never allow user-controlled input to reach file functions that might accept phar:// paths.

Common Misconception

✗ PHAR files are only relevant when you intentionally distribute PHP as archives. Any file function using a user-controlled path starting with phar:// triggers PHAR deserialization — an attacker who can upload any file and influence a file path can exploit this.

Why It Matters

PHP Archives bundle an entire application into a single distributable file — understanding PHAR is important both for using Composer-distributed tools and for securing file upload validation against PHAR injection.

Common Mistakes

Not disabling phar.readonly in php.ini when creating PHARs — required for writing but creates security risk if left on.
Using user-controlled paths in file functions without blocking phar:// wrapper — triggers PHAR deserialization.
Including dev dependencies in a distributed PHAR — increases file size and attack surface.
Not signing PHARs for distributed tools — an unsigned PHAR can be replaced with a malicious one.

Code Examples

✗ Vulnerable

// User path in file function — PHAR injection:
$path = $_GET['file'];
if (file_exists($path)) { // ?file=phar://uploads/evil.jpg
    include $path;          // Deserializes and executes PHAR metadata
}

✓ Fixed

// Create a distributable CLI tool as a PHAR archive
\$phar = new Phar('mytool.phar');
\$phar->startBuffering();
\$phar->buildFromDirectory(__DIR__ . '/src', '/\.php\$/');
\$phar->setDefaultStub('bin/mytool.php', 'bin/mytool.php');
\$phar->stopBuffering();
chmod('mytool.phar', 0755);

// Run: php mytool.phar --help

// Security:
; php.ini: phar.readonly = On  — prevents modification of PHAR files
// Never pass attacker-controlled paths to phar:// stream wrapper
// Validate PHAR signatures before extracting untrusted archives

References

↗ https://www.php.net/manual/en/book.phar.php

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,445 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 8 Google 3 Perplexity 2 Ahrefs 1

Also referenced

PHAR Deserialization Attack 151 Composer & Dependency Management 29 PHP CLI & Command-Line Scripts 24 PHP Stream Wrappers 12

How they use it

crawler 12 crawler_json 2

Related categories

php 6.6k security 4.2k

⚡ DEV INTEL Tools & Severity

🔴 Critical ⚙ Fix effort: Medium

⚡ Quick Fix

Disable Phar stream wrapper if you don't use it: never allow user-controlled input in any file operation function (file_get_contents, file_exists, require) as phar:// can trigger deserialization

📦 Applies To

PHP 5.2+ web cli

🔗 Prerequisites

PHAR Deserialization Attack Local File Inclusion (LFI) Input Validation vs Output Encoding

🔍 Detection Hints

file_get_contents() or file_exists() with user-supplied path that could be phar://; no stream wrapper restriction; Composer archive operations with user paths

Auto-detectable: ✓ Yes semgrep psalm

⚠ Related Problems

PHAR Deserialization Attack Local File Inclusion (LFI) Insecure Deserialization

🤖 AI Agent

Confidence: High False Positives: Medium ✗ Manual fix Fix: High Context: Function Tests: Update

CWE-502 CWE-694