PHP RFC: Deprecate and Remove ext/wddx

• Version: 1.0.0
• Date: 2018-01-14
• Author: Christoph M. Becker, cmb@php.net
• Status: Under Discussion
• First Published at: https://wiki.php.net/rfc/deprecate-and-remove-ext-wddx

WDDX has been designed as programming language independent data exchange format for the web¹⁾. However, it never has been formally standardized, and it appears that it has been mostly superseeded by other data exchange formats such as JSON.

A particular problem is that PHP 4.0.0 added the ability to (de)serialize class instances²⁾ including calls to _​_sleep() and __wakeup(), respectively. Therefore, wddx_deserialize() must not be called on untrusted user input to avoid remote code execution, basically defeating the purpose of WDDX. A former RFC proposed to “Deprecate class instance deserialization in WDDX”, but it has been withdrawn since that would break BC, and there seemed to be generally more consensus on deprecating the extension altogether.

Therefore I suggest to either:

• PHP 7.4: deprecate ext/wddx (particularly issue E_DEPRECATED whenever a wddx_*() function is called, or a WDDX session is written or read)
• PHP 8.0: move ext/wddx to PECL/wddx (without removing the deprecation)

or to:

• PHP 7.4: move ext/wddx to PECL/wddx without any deprecation

Obviously, code using the wddx extension would issue deprecation warnings, and/or would have to use the wddx extension from PECL, or be rewritten.

• None

Whether to remove ext/wddx (with or without deprecation), which requires a 2/3 majority.

A secondary vote will be held whether to deprecate or not, which requires a 50%+1 majority (and of course only has effect, if the primary vote passes).

None, yet.

After the project is implemented, this section should contain

1. the version(s) it was merged into
2. a link to the git commit(s)
3. a link to the PHP manual entry for the feature

• Former discussion regarding WDDX serialization and security
• Discussion of the former RFC

None.