WDDX has been designed as programming language independent data exchange format for the web1). However, PHP 4.0.0 added the ability to (de)serialize class instances2) including calls to sleep(), respectively. Therefore, and wakeup()wddx_deserialize() must not be called on untrusted user input to avoid remote code execution, basically defeating the purpose of WDDX.
As such, these functions seem pretty useless right now. You can't use them
for data interchange due to security issues, and it's not the serialization
functionality you would use for local storage (for all it's issues,
serialize() is still a much better choice for that purpose.)
We therefore desire to eventually get rid of the ability to deserialize class instances, and to serialize class instances as simple structs without the php_class_name var. To pave the way for this BC breaking change, we propose to deprecate deserialization of class instances by raising E_DEPRECATED every time this happens, i.e. when php_wddx_deserialize_ex() is called either explicitly via wddx_deserialize() or implicitly via the wddx session serialization handler and the payload contains structs with a php_class_name var.
Additional deprecation notices may appear, but besides their usual purpose (to notify developers about functionality which may be removed in the future), these might also help to identify insecure usage of wddx_deserialize().
The deprecation should be introduced in PHP 7.next.
Besides the deprecation notices when deserializing class instances, no further impact is to be expected.
Make sure there are no open issues when the vote starts!
The actual removal of the ability to deserialize class instances via wddx_deserialize is not part of this proposal, nor is the removal of the wddx session serialization handler, nor is the possible move of the WDDX extension to PECL.
Deprecate class instance deserialization, or not.
This proposal requires a 2/3 majority.
The suggested patch is https://github.com/cmb69/php-src/commit/0ddc855a83a1b8ee0d88dd8e2967acd0e8d4b59d.
The documentation of ''wddx_deserialize'' will also have to be updated.
After the project is implemented, this section should contain