PHP RFC: Deprecate class instance deserialization in WDDX
- Version: 0.2
- Date: 2017-08-15
- Author: Christoph M. Becker, email@example.com
- Status: Withdrawn
- First Published at: https://wiki.php.net/rfc/wddx-deprecate-class-instance-deserialization
WDDX has been designed as programming language independent data exchange format for the web1). However, PHP 4.0.0 added the ability to (de)serialize class instances2) including calls to
sleep(), respectively. Therefore,
wddx_deserialize() must not be called on untrusted user input to avoid remote code execution, basically defeating the purpose of WDDX.
As such, these functions seem pretty useless right now. You can't use them
for data interchange due to security issues, and it's not the serialization
functionality you would use for local storage (for all it's issues,
serialize() is still a much better choice for that purpose.)
We therefore desire to eventually get rid of the ability to deserialize class instances, and to serialize class instances as simple structs without the
php_class_name var. To pave the way for this BC breaking change, we propose to deprecate deserialization of class instances by raising
E_DEPRECATED every time this happens, i.e. when
php_wddx_deserialize_ex() is called either explicitly via
wddx_deserialize() or implicitly via the
wddx session serialization handler and the payload contains structs with a
Backward Incompatible Changes
Additional deprecation notices may appear, but besides their usual purpose (to notify developers about functionality which may be removed in the future), these might also help to identify insecure usage of
Proposed PHP Version(s)
The deprecation should be introduced in PHP 7.next.
Besides the deprecation notices when deserializing class instances, no further impact is to be expected.
Make sure there are no open issues when the vote starts!
The actual removal of the ability to deserialize class instances via
wddx_deserialize is not part of this proposal, nor is the removal of the
wddx session serialization handler, nor is the possible move of the WDDX extension to PECL.
Proposed Voting Choices
Deprecate class instance deserialization, or not.
This proposal requires a 2/3 majority.
Patches and Tests
The suggested patch is https://github.com/cmb69/php-src/commit/0ddc855a83a1b8ee0d88dd8e2967acd0e8d4b59d.
The documentation of ''wddx_deserialize'' will also have to be updated.
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
- a link to the language specification section (if any)