Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100183 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95489 invoked from network); 11 Aug 2017 13:15:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Aug 2017 13:15:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.181 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.223.181 mail-io0-f181.google.com Received: from [209.85.223.181] ([209.85.223.181:34485] helo=mail-io0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EB/86-34801-50EAD895 for ; Fri, 11 Aug 2017 09:15:50 -0400 Received: by mail-io0-f181.google.com with SMTP id o9so20107657iod.1 for ; Fri, 11 Aug 2017 06:15:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=6tl3rveQujDqfgQrpsnxJ6hZKqkN3UPp5mwZMl7LvBg=; b=ViTh5nOjUlclL/UCOG+rPRmpkr6OE3xWPIyYqItLP0Ozag2cQKKhuWNQp7PW0HE63e qTXMz6DMfhr4mfivU700kezWsL28dCs+O9KqtjQ6HdJfcNKFJwUIl+o74ypcmzCduGm6 M5sswXAPmXCSSKpwqWbhipaNTEeok22nWVSORHs8szKi3LupZRLVnMWeaFEASxTIx/9K PyrCCKW9e+ncqV/CWp2bTTZaPJDtGIhyal43Mn1yp00ZIHN7xAVvDm1w+3OxzUcMNLYA +FkQUtOkFi6WFrDHoQzD9J7oz0lk2vS2evtyka1yewg9pf1GIKr4t4wr36BFHuyV6xMo KGPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6tl3rveQujDqfgQrpsnxJ6hZKqkN3UPp5mwZMl7LvBg=; b=p0e3hiO6ypAHWQgjVAKhXVmqshmFjFhKutJ6fXGWAypYdwq64PoclIH01A+dIkCb+/ voKHsFl57FVucI8Mcl7gxYo6PPkQuAWDjPodliCeD6Nprt5eKGq+h2v1rli3dPhu8ElC /J74IUGZPxT1px/F7Wd+bh7LrnDdHkzuflRB8KHHHmp3y/0MuYzUU5BmLnCP1qjjkCFt bHuVzX8czfRALXz32LN0Hpuiq9mUAZKwQuZx22vzsqK7yPOIWQVYeZ99hKscuH6UJzvR Ix1vvGqkzKTetxgDQnAc7HBH7Fq1Wy9q7A7gh4bCf27NDNTEeWQEqUTVaadd/Y4s3k77 C8QQ== X-Gm-Message-State: AHYfb5ivHfvkIzqMn7Y0NrKiPBRlHb7wOLIlLaHl00BBLH19QjNXlIyr TDZkz9sPyYTVj/8nH8NAwR/5rOWII0ym X-Received: by 10.107.9.90 with SMTP id j87mr13658131ioi.286.1502457347261; Fri, 11 Aug 2017 06:15:47 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.13.3 with HTTP; Fri, 11 Aug 2017 06:15:46 -0700 (PDT) Date: Fri, 11 Aug 2017 15:15:46 +0200 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="001a113f9a7879486805567a1c71" Subject: WDDX serialization and security From: nikita.ppv@gmail.com (Nikita Popov) --001a113f9a7879486805567a1c71 Content-Type: text/plain; charset="UTF-8" Hi internals, Same question here as with unserialize(). https://bugs.php.net/bug.php?id=75007 has recently been classified as not a security bug, because WDDX should not be fed untrusted data. To provide some context here, our WDDX implementation is generally vulnerable to object injection (it is possible to create arbitrary objects, resulting in exploitable calls to __wakeup, __destruct, __toString and similar), but it does not have the other security issues of unserialize (in particular, no references). My question is now: What's the point of having this functionality at all? As far as I can discern, WDDX seems to be targeted as a data interchange format (something where trust generally cannot be assumed), but the way we implement it (with support for object creation), it cannot be used as such. As such, these functions seem pretty useless right now. You can't use them for data interchange due to security issues, and it's not the serialization functionality you would use for local storage (for all it's issues, serialize() is still a much better choice for that purpose.) I'm wondering if it might be time to remove (i.e. deprecate and move to PECL) the wddx extension? Regards, Nikita --001a113f9a7879486805567a1c71--