PHP RFC: Unbundle ext/wddx

Version: 1.1.1
Date: 2018-01-17
Author: Christoph M. Becker, cmb@php.net
Status: Implemented
First Published at: https://wiki.php.net/rfc/deprecate-and-remove-ext-wddx

Introduction

WDDX has been designed as programming language independent data exchange format for the web¹⁾. However, it never has been formally standardized, and it appears that it has been mostly superseeded by other data exchange formats such as JSON.

A particular problem is that PHP 4.0.0 added the ability to (de)serialize class instances²⁾ including calls to __sleep() and __wakeup(), respectively. Therefore, wddx_deserialize() must not be called on untrusted user input to avoid remote code execution, basically defeating the purpose of WDDX. A former RFC proposed to “Deprecate class instance deserialization in WDDX”, but it has been withdrawn since that would break BC, and there seemed to be generally more consensus on deprecating the extension altogether.

Proposal

Therefore I suggest to unbundle ext/wddx. A secondary vote will be held about the detailed procedure:

deprecate all functionality of the extension for PHP 7.4; move to PECL for PHP 8
deprecate all functionality of the extension *and* move to PECL for PHP 7.4
move the extension to PECL for PHP 7.4
dump the extension for PHP 7.4 (unbundle without moving to PECL or somewhere else)

Backward Incompatible Changes

Obviously, code using the wddx extension would issue deprecation warnings, and/or would have to use the wddx extension from PECL (or somewhere else), or be rewritten.

Open Issues

None

Voting

The primary vote is about whether to unbundle ext/wddx, which requires a 2/3 majority.

Unbundle ext/wddx
Real name	Yes	No
ashnazg (ashnazg)
bwoebi (bwoebi)
carusogabriel (carusogabriel)
cmb (cmb)
diegopires (diegopires)
emir (emir)
galvao (galvao)
girgias (girgias)
guilhermeblanco (guilhermeblanco)
heiglandreas (heiglandreas)
hywan (hywan)
jhdxr (jhdxr)
jpauli (jpauli)
kalle (kalle)
kguest (kguest)
laruence (laruence)
lex (lex)
malukenho (malukenho)
mariano (mariano)
nikic (nikic)
ocramius (ocramius)
petk (petk)
rasmus (rasmus)
remi (remi)
reywob (reywob)
salathe (salathe)
sebastian (sebastian)
stas (stas)
trowski (trowski)
yunosh (yunosh)
Final result:	30	0
This poll has been closed.

A secondary vote is held about the detailed procedure (see the proposal above). If the primary vote passes, the alternative with the most votes will be accepted.

Unbundle ext/wddx details
Real name	depr. 7.4/move 8.0(1)	depr. and move 7.4(2)	move 7.4(3)	dump 7.4(4)
ashnazg (ashnazg)
bwoebi (bwoebi)
carusogabriel (carusogabriel)
chregu (chregu)
diegopires (diegopires)
emir (emir)
galvao (galvao)
girgias (girgias)
guilhermeblanco (guilhermeblanco)
heiglandreas (heiglandreas)
hywan (hywan)
jhdxr (jhdxr)
kalle (kalle)
kguest (kguest)
lex (lex)
malukenho (malukenho)
mariano (mariano)
nikic (nikic)
ocramius (ocramius)
petk (petk)
rasmus (rasmus)
remi (remi)
reywob (reywob)
salathe (salathe)
sebastian (sebastian)
stas (stas)
trowski (trowski)
yunosh (yunosh)
Final result:	4	19	2	3
This poll has been closed.

Voting starts on 2019-01-17, and ends on 2019-01-31.

Patches and Tests

None, yet.

Implementation

Applied to PHP-7.4
Documentation

References

Former discussion regarding WDDX serialization and security
Discussion of the former RFC

Rejected Features

None.

¹⁾

http://xml.coverpages.org/wddx0090-dtd-19980928.txt

²⁾

http://git.php.net/?p=php-src.git;a=commit;h=33eb7d83cab733a3397168d35506e750e1e30d65