On Sun, Aug 13, 2017 at 5:08 PM, Christoph M. Becker <cmbecke...@gmx.de> wrote:
> On 11.08.2017 at 15:15, Nikita Popov wrote: > > > Same question here as with unserialize(). > > https://bugs.php.net/bug.php?id=75007 has recently been classified as > not a > > security bug, because WDDX should not be fed untrusted data. > > > > To provide some context here, our WDDX implementation is generally > > vulnerable to object injection (it is possible to create arbitrary > objects, > > resulting in exploitable calls to __wakeup, __destruct, __toString and > > similar), but it does not have the other security issues of unserialize > (in > > particular, no references). > > > > My question is now: What's the point of having this functionality at all? > > As far as I can discern, WDDX seems to be targeted as a data interchange > > format (something where trust generally cannot be assumed), but the way > we > > implement it (with support for object creation), it cannot be used as > such. > > IMHO, implementing support for objects has been a most unfortunate > decision, because WDDX was indeed not designed for that > (<http://xml.coverpages.org/wddx0090-dtd-19980928.txt>). Considering > https://bugs.php.net/bug.php?id=75044 makes the situation worse. > > > As such, these functions seem pretty useless right now. You can't use > them > > for data interchange due to security issues, and it's not the > serialization > > functionality you would use for local storage (for all it's issues, > > serialize() is still a much better choice for that purpose.) > > ACK. > > > I'm wondering if it might be time to remove (i.e. deprecate and move to > > PECL) the wddx extension? > > Hmm, that would leave a pretty useless extension in PECL. An > alternative might be to remove support for objects and the wddx session > serialization handler. This might even be done as bug fix if a > respective ini option would be introduced. We could still move the > extension to PECL afterwards. > I'm only suggesting a move to PECL because that seems to be our standard procedure when removing extensions. Given that WDDX as a data interchange format seems pretty much dead, I don't think it's worth trying to "fix" it in some way, especially a way that breaks backwards compatibility. Even without the additional security considerations, I would say it's long overdue to unbundle this extension. Nikita