====== PHP RFC: Unbundle ext/wddx ====== * Version: 1.1.1 * Date: 2018-01-17 * Author: Christoph M. Becker, * Status: Implemented * First Published at: https://wiki.php.net/rfc/deprecate-and-remove-ext-wddx ===== Introduction ===== WDDX has been designed as programming language independent data exchange format for the web((http://xml.coverpages.org/wddx0090-dtd-19980928.txt)). However, it never has been formally standardized, and it appears that it has been mostly superseeded by other data exchange formats such as JSON. A particular problem is that PHP 4.0.0 added the ability to (de)serialize class instances((http://git.php.net/?p=php-src.git;a=commit;h=33eb7d83cab733a3397168d35506e750e1e30d65)) including calls to ''_​_sleep()'' and ''__wakeup()'', respectively. Therefore, ''wddx_deserialize()'' must not be called on untrusted user input to avoid remote code execution, basically defeating the purpose of WDDX. A former RFC proposed to “[[https://wiki.php.net/rfc/wddx-deprecate-class-instance-deserialization|Deprecate class instance deserialization in WDDX]]”, but it has been withdrawn since that would break BC, and there seemed to be generally more consensus on deprecating the extension altogether. ===== Proposal ===== Therefore I suggest to unbundle ext/wddx. A secondary vote will be held about the detailed procedure: - deprecate all functionality of the extension for PHP 7.4; move to PECL for PHP 8 - deprecate all functionality of the extension *and* move to PECL for PHP 7.4 - move the extension to PECL for PHP 7.4 - dump the extension for PHP 7.4 (unbundle without moving to PECL or somewhere else) ===== Backward Incompatible Changes ===== Obviously, code using the wddx extension would issue deprecation warnings, and/or would have to use the wddx extension from PECL (or somewhere else), or be rewritten. ===== Open Issues ===== * None ===== Voting ===== The primary vote is about whether to unbundle ext/wddx, which requires a 2/3 majority. * Yes * No \\ A secondary vote is held about the detailed procedure (see the [[#proposal|proposal]] above). If the primary vote passes, the alternative with the most votes will be accepted. * depr. 7.4/move 8.0(1) * depr. and move 7.4(2) * move 7.4(3) * dump 7.4(4) \\ Voting starts on 2019-01-17, and ends on 2019-01-31. ===== Patches and Tests ===== None, yet. ===== Implementation ===== - [[http://git.php.net/?p=php-src.git;a=commit;h=6bbb18a0b6bef11222caaa55c00abdbcbb55d54b|Applied]] to PHP-7.4 - [[http://svn.php.net/viewvc?view=revision&revision=347028|Documentation]] ===== References ===== * Former discussion regarding [[https://externals.io/message/100183|WDDX serialization and security]] * Discussion of the [[https://externals.io/message/100220|former RFC]] ===== Rejected Features ===== None.