Hi internals, Same question here as with unserialize(). https://bugs.php.net/bug.php?id=75007 has recently been classified as not a security bug, because WDDX should not be fed untrusted data.
To provide some context here, our WDDX implementation is generally vulnerable to object injection (it is possible to create arbitrary objects, resulting in exploitable calls to __wakeup, __destruct, __toString and similar), but it does not have the other security issues of unserialize (in particular, no references). My question is now: What's the point of having this functionality at all? As far as I can discern, WDDX seems to be targeted as a data interchange format (something where trust generally cannot be assumed), but the way we implement it (with support for object creation), it cannot be used as such. As such, these functions seem pretty useless right now. You can't use them for data interchange due to security issues, and it's not the serialization functionality you would use for local storage (for all it's issues, serialize() is still a much better choice for that purpose.) I'm wondering if it might be time to remove (i.e. deprecate and move to PECL) the wddx extension? Regards, Nikita
