Hi internals,

Same question here as with unserialize().
https://bugs.php.net/bug.php?id=75007 has recently been classified as not a
security bug, because WDDX should not be fed untrusted data.

To provide some context here, our WDDX implementation is generally
vulnerable to object injection (it is possible to create arbitrary objects,
resulting in exploitable calls to __wakeup, __destruct, __toString and
similar), but it does not have the other security issues of unserialize (in
particular, no references).

My question is now: What's the point of having this functionality at all?
As far as I can discern, WDDX seems to be targeted as a data interchange
format (something where trust generally cannot be assumed), but the way we
implement it (with support for object creation), it cannot be used as such.

As such, these functions seem pretty useless right now. You can't use them
for data interchange due to security issues, and it's not the serialization
functionality you would use for local storage (for all it's issues,
serialize() is still a much better choice for that purpose.)

I'm wondering if it might be time to remove (i.e. deprecate and move to
PECL) the wddx extension?


Reply via email to