rfc:deprecate-and-remove-ext-wddx

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
rfc:deprecate-and-remove-ext-wddx [2018/09/16 16:44]
cmb created
rfc:deprecate-and-remove-ext-wddx [2019/03/20 13:55] (current)
cmb ext/wddx has been unbundled
Line 1: Line 1:
-====== PHP RFC: Deprecate and Remove ext/wwdx ======+====== PHP RFC: Unbundle ext/wddx ======
  
-  * Version: 0.9 +  * Version: 1.1.1 
-  * Date: 2018-09-16+  * Date: 2018-01-17
   * Author: Christoph M. Becker, <cmb@php.net>   * Author: Christoph M. Becker, <cmb@php.net>
-  * Status: Under Discussion+  * Status: Implemented
   * First Published at: https://wiki.php.net/rfc/deprecate-and-remove-ext-wddx   * First Published at: https://wiki.php.net/rfc/deprecate-and-remove-ext-wddx
  
Line 11: Line 11:
 WDDX has been designed as programming language independent data exchange format for the web((http://xml.coverpages.org/wddx0090-dtd-19980928.txt)). However, it never has been formally standardized, and it appears that it has been mostly superseeded by other data exchange formats such as JSON. WDDX has been designed as programming language independent data exchange format for the web((http://xml.coverpages.org/wddx0090-dtd-19980928.txt)). However, it never has been formally standardized, and it appears that it has been mostly superseeded by other data exchange formats such as JSON.
  
-A particular problem is that PHP 4.0.0 added the ability to (de)serialize class instances((http://git.php.net/?p=php-src.git;a=commit;h=33eb7d83cab733a3397168d35506e750e1e30d65)) including calls to ''__sleep()'' and '' __wakeup()'', respectively. Therefore, ''wddx_deserialize()'' must not be called on untrusted user input to avoid remote code execution, basically defeating the purpose of WDDX. A former RFC proposed to “[[https://wiki.php.net/rfc/wddx-deprecate-class-instance-deserialization|Deprecate class instance deserialization in WDDX]]”, but it has been withdrawn since that would break BC, and there seemed to be generally more consensus on deprecating the extension altogether.+A particular problem is that PHP 4.0.0 added the ability to (de)serialize class instances((http://git.php.net/?p=php-src.git;a=commit;h=33eb7d83cab733a3397168d35506e750e1e30d65)) including calls to ''_​_sleep()'' and ''__wakeup()'', respectively. Therefore, ''wddx_deserialize()'' must not be called on untrusted user input to avoid remote code execution, basically defeating the purpose of WDDX. A former RFC proposed to “[[https://wiki.php.net/rfc/wddx-deprecate-class-instance-deserialization|Deprecate class instance deserialization in WDDX]]”, but it has been withdrawn since that would break BC, and there seemed to be generally more consensus on deprecating the extension altogether.
  
 ===== Proposal ===== ===== Proposal =====
  
-Therefore I suggest the following procedure:+Therefore I suggest to unbundle ext/wddx. A secondary vote will be held about the detailed procedure: 
 + 
 +  - deprecate all functionality of the extension for PHP 7.4; move to PECL for PHP 8 
 +  - deprecate all functionality of the extension *and* move to PECL for PHP 7.4 
 +  - move the extension to PECL for PHP 7.4 
 +  - dump the extension for PHP 7.4 (unbundle without moving to PECL or somewhere else)
  
-  * PHP 7.4: deprecate ext/wddx (particularly issue E_DEPRECATED whenever a ''wddx_*()'' function is called) 
-  * PHP 8.0: move ext/wddx to PECL/wddx (without removing the deprecation) 
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
-Obviously, code using the wddx extension would issue deprecation warnings, and would have to use the wddx extension from PECL as of PHP 8.0, or be rewritten.+Obviously, code using the wddx extension would issue deprecation warnings, and/or would have to use the wddx extension from PECL (or somewhere else), or be rewritten.
  
 ===== Open Issues ===== ===== Open Issues =====
  
-None.+  * None 
 + 
 +===== Voting ===== 
 + 
 +The primary vote is about whether to unbundle ext/wddx, which requires a 2/3 majority. 
 + 
 +<doodle title=" Unbundle ext/wddx" auth="cmb" voteType="single" closed="true"> 
 +   * Yes 
 +   * No 
 +</doodle>
  
-===== Proposed Voting Choices =====+\\ A secondary vote is held about the detailed procedure (see the [[#proposal|proposal]] above). If the primary vote passes, the alternative with the most votes will be accepted.
  
-Whether to implement the proposal above, or not.+<doodle title="Unbundle ext/wddx details" auth="cmb" voteType="single" closed="true"> 
 +   * depr7.4/move 8.0(1) 
 +   * depr. and move 7.4(2) 
 +   * move 7.4(3) 
 +   * dump 7.4(4) 
 +</doodle>
  
-This RFC requires a 2/3 majority+\\ Voting starts on 2019-01-17, and ends on 2019-01-31.
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
Line 40: Line 57:
 ===== Implementation ===== ===== Implementation =====
  
-After the project is implemented, this section should contain  +  [[http://git.php.net/?p=php-src.git;a=commit;h=6bbb18a0b6bef11222caaa55c00abdbcbb55d54b|Applied]] to PHP-7.4 
-  the version(s) it was merged into +  - [[http://svn.php.net/viewvc?view=revision&revision=347028|Documentation]]
-  - a link to the git commit(s) +
-  - a link to the PHP manual entry for the feature+
  
 ===== References ===== ===== References =====
rfc/deprecate-and-remove-ext-wddx.1537116299.txt.gz · Last modified: 2018/09/16 16:44 by cmb