On 11.08.2017 at 15:15, Nikita Popov wrote: > Same question here as with unserialize(). > https://bugs.php.net/bug.php?id=75007 has recently been classified as not a > security bug, because WDDX should not be fed untrusted data. > > To provide some context here, our WDDX implementation is generally > vulnerable to object injection (it is possible to create arbitrary objects, > resulting in exploitable calls to __wakeup, __destruct, __toString and > similar), but it does not have the other security issues of unserialize (in > particular, no references). > > My question is now: What's the point of having this functionality at all? > As far as I can discern, WDDX seems to be targeted as a data interchange > format (something where trust generally cannot be assumed), but the way we > implement it (with support for object creation), it cannot be used as such.
IMHO, implementing support for objects has been a most unfortunate decision, because WDDX was indeed not designed for that (<http://xml.coverpages.org/wddx0090-dtd-19980928.txt>). Considering https://bugs.php.net/bug.php?id=75044 makes the situation worse. > As such, these functions seem pretty useless right now. You can't use them > for data interchange due to security issues, and it's not the serialization > functionality you would use for local storage (for all it's issues, > serialize() is still a much better choice for that purpose.) ACK. > I'm wondering if it might be time to remove (i.e. deprecate and move to > PECL) the wddx extension? Hmm, that would leave a pretty useless extension in PECL. An alternative might be to remove support for objects and the wddx session serialization handler. This might even be done as bug fix if a respective ini option would be introduced. We could still move the extension to PECL afterwards. Anyhow, I've added a respective warning to the docs (http://svn.php.net/viewvc?view=revision&revision=342852). -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
