Remove typo3/phar-stream-wrapper and associated code

This cannot happen in Drupal 9 as Drupal 9 will not require PHP 8. However Drupal 10 will require PHP 8 according to current plans, so moving there.

Although the tests (will) return green, this doesn't feel right to me.

\Drupal\Core\Security\PharExtensionInterceptor is not used anywhere any more (was only used in \Drupal\Core\DrupalKernel::boot() and not in any test classes).

- Adding a deprecation that's never triggered doesn't seem right.
- Leaving a file (core/lib/Drupal/Core/Security/PharExtensionInterceptor.php) that has undefined classes (YPO3\PharStreamWrapper\* can't be loaded since typo3/phar-stream-wrapper is no longer pulled in) doesn't seem right.

Personally I would rather do #3181275: Do not register Phar stream wrapper on PHP 8 because it is not vulnerable to unserialize bugs first and deprecate \Drupal\Core\Security\PharExtensionInterceptor there in 9.4.0 and remove in 10.0.0.

Putting this on Needs Review anyway to get more eyes/minds/random body-parts on this.

Do we need a deprecation at all? Can we consider PharExtensionInterceptor as internal as it's a very specialist class that was only used by our kernel?

@longwave: Like that idea, but since it wasn't tagged as @internal, there _could_ be Contrib/Custom modules out there using it (although I think the chances are pretty slim on that)

Doing a search on PharExtensionInterceptor in Contrib reveals no usage: http://grep.xnddx.ru/search?text=PharExtensionInterceptor&filename=

Since this is a case that's not really (fully) covered by the Drupal deprecation policy, maybe we can get away with just removing it?

++ to mark internal in separate issue with CR

Thus spoketh @andypost in #12

I think that would be a very nice solution!
Opened #3252406: Mark class \Drupal\Core\Security\PharExtensionInterceptor as internal to mark \Drupal\Core\Security\PharExtensionInterceptor in 9.4.x, so we can remove it without deprecation here after that issue lands.

Postponing on #3252406: Mark class \Drupal\Core\Security\PharExtensionInterceptor as internal

Deleted a bit too much.

+++ b/core/tests/Drupal/KernelTests/Core/File/PharWrapperTest.php
@@ -23,18 +23,7 @@ public function testPharFile() {
+    $this->assertFalse(file_exists("phar://$base/image-2.jpg/index.php"));

Looking at this now I realise that this should be $this->assertFileDoesNotExist()

No harm in tweaking that here.

Actually ignore #19. I think we can remove \Drupal\KernelTests\Core\File\PharWrapperTest and core/tests/fixtures/files/phar-1.phar - this fixture is now only testing the default stream wrapper that comes with PHP and I don't think we should be testing that.

The whole assert on $this->assertFileDoesNotExist("phar://$base/image-2.jpg/index.php"); is pretty bogus for PHP 8. We're not doing user-land phar file stream wrappers and we have no code that's doing anything in this space - ie we're removing \Drupal\Core\Security\PharExtensionInterceptor and the Typo3 code.

In that case #16 was right all along.

@alexpott what do think about removing StreamWrapperTest::testPharStreamWrapperRegistration() as well? I think that only exists because of the Typo3 interceptor.

#16 with the removal of StreamWrapperTest::testPharStreamWrapperRegistration() as well. One of the comments mentions PharStreamWrapperManager, that is now gone.

Can also remove core/tests/fixtures/files/phar-1.phar

Committed 9f5c2e9 and pushed to 10.0.x. Thanks!

Oh nice, I hadn't thought about the fact that we don't need it anymore. Yay!

Remember to tag dependency changes for the release notes.