====== PHP RFC: Deprecate class instance deserialization in WDDX ====== * Version: 0.2 * Date: 2017-08-15 * Author: Christoph M. Becker, cmb@php.net * Status: Withdrawn * First Published at: https://wiki.php.net/rfc/wddx-deprecate-class-instance-deserialization ===== Introduction ===== WDDX has been designed as programming language independent data exchange format for the web((http://xml.coverpages.org/wddx0090-dtd-19980928.txt)). However, PHP 4.0.0 added the ability to (de)serialize class instances((http://git.php.net/?p=php-src.git;a=commit;h=33eb7d83cab733a3397168d35506e750e1e30d65)) including calls to ''__sleep()'' and '' __wakeup()'', respectively. Therefore, ''wddx_deserialize()'' must not be called on untrusted user input to avoid remote code execution, basically defeating the purpose of WDDX. [[http://news.php.net/php.internals/100183|Quoting Nikita Popov]]: > As such, these functions seem pretty useless right now. You can't use them > for data interchange due to security issues, and it's not the serialization > functionality you would use for local storage (for all it's issues, > serialize() is still a much better choice for that purpose.) ===== Proposal ===== We therefore desire to eventually get rid of the ability to deserialize class instances, and to serialize class instances as simple structs without the ''php_class_name'' var. To pave the way for this BC breaking change, we propose to deprecate deserialization of class instances by raising ''E_DEPRECATED'' every time this happens, i.e. when ''php_wddx_deserialize_ex()'' is called either explicitly via ''wddx_deserialize()'' or implicitly via the ''wddx'' session serialization handler and the payload contains structs with a ''php_class_name'' var. ===== Backward Incompatible Changes ===== Additional deprecation notices may appear, but besides their usual purpose (to notify developers about functionality which may be removed in the future), these might also help to identify insecure usage of ''wddx_deserialize()''. ===== Proposed PHP Version(s) ===== The deprecation should be introduced in PHP 7.next. ===== RFC Impact ===== Besides the deprecation notices when deserializing class instances, no further impact is to be expected. ===== Open Issues ===== Make sure there are no open issues when the vote starts! ===== Future Scope ===== The actual removal of the ability to deserialize class instances via ''wddx_deserialize'' is not part of this proposal, nor is the removal of the ''wddx'' session serialization handler, nor is the possible move of the WDDX extension to PECL. ===== Proposed Voting Choices ===== Deprecate class instance deserialization, or not. This proposal requires a 2/3 majority. ===== Patches and Tests ===== The suggested patch is https://github.com/cmb69/php-src/commit/0ddc855a83a1b8ee0d88dd8e2967acd0e8d4b59d. The [[http://php.net/manual/en/function.wddx-deserialize.php|documentation of ''wddx_deserialize'']] will also have to be updated. ===== Implementation ===== After the project is implemented, this section should contain - the version(s) it was merged to - a link to the git commit(s) - a link to the PHP manual entry for the feature - a link to the language specification section (if any) ===== References ===== * [[http://marc.info/?l=php-internals&m=150245739612076&w=2|Preliminary discussion]]