PHP RFC: Deprecate class instance deserialization in WDDX


WDDX has been designed as programming language independent data exchange format for the web1). However, PHP 4.0.0 added the ability to (de)serialize class instances2) including calls to sleep() and wakeup(), respectively. Therefore, wddx_deserialize() must not be called on untrusted user input to avoid remote code execution, basically defeating the purpose of WDDX.

Quoting Nikita Popov:

As such, these functions seem pretty useless right now. You can't use them
for data interchange due to security issues, and it's not the serialization
functionality you would use for local storage (for all it's issues,
serialize() is still a much better choice for that purpose.)


We therefore desire to eventually get rid of the ability to deserialize class instances, and to serialize class instances as simple structs without the php_class_name var. To pave the way for this BC breaking change, we propose to deprecate deserialization of class instances by raising E_DEPRECATED every time this happens, i.e. when php_wddx_deserialize_ex() is called either explicitly via wddx_deserialize() or implicitly via the wddx session serialization handler and the payload contains structs with a php_class_name var.

Backward Incompatible Changes

Additional deprecation notices may appear, but besides their usual purpose (to notify developers about functionality which may be removed in the future), these might also help to identify insecure usage of wddx_deserialize().

Proposed PHP Version(s)

The deprecation should be introduced in PHP 7.next.

RFC Impact

Besides the deprecation notices when deserializing class instances, no further impact is to be expected.

Open Issues

Make sure there are no open issues when the vote starts!

Future Scope

The actual removal of the ability to deserialize class instances via wddx_deserialize is not part of this proposal, nor is the removal of the wddx session serialization handler, nor is the possible move of the WDDX extension to PECL.

Proposed Voting Choices

Deprecate class instance deserialization, or not.

This proposal requires a 2/3 majority.

Patches and Tests


After the project is implemented, this section should contain

  1. the version(s) it was merged to
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature
  4. a link to the language specification section (if any)


rfc/wddx-deprecate-class-instance-deserialization.txt · Last modified: 2017/09/22 13:28 by