Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100202 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 23053 invoked from network); 13 Aug 2017 15:53:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Aug 2017 15:53:01 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.180 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.223.180 mail-io0-f180.google.com Received: from [209.85.223.180] ([209.85.223.180:33803] helo=mail-io0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 38/D0-34801-CD570995 for ; Sun, 13 Aug 2017 11:53:00 -0400 Received: by mail-io0-f180.google.com with SMTP id o9so32948157iod.1 for ; Sun, 13 Aug 2017 08:53:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=V9qQeuDbXdYGlFJtXm7y15XcTFL9kxk9hnCYJJ7xJ1E=; b=Kv1TcBXIFf9rZ9n7EGjFYXRvJLnuuhHdPyDb2Szt6P/FjVWkZLdZFrE1M+GN/HWkw4 PmVE0YhDtbhwFGEvEUJ6iIHt37fD9SgC4eonYoIWHQ+udaCByciHTP9qrETZeUi5F3Kr rx0jwjxh3zS2sI6YovekHoQ+WTPbtbW7yo3+WffTnApxx+TrJlem+lPm9N0Jr/8d6UOW rh643x7l8Hv6KOI/MisBQE024a43ySfBgGlEZdTF14rB4ErSCr27RLpR7Moo8g//VWZO p3uE0WgbhdETuIBoXAvqzRqxnBoJrdQiPp4odcewe1ZL65rQrLIoaIoCcItGiYYqZomx 8qrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=V9qQeuDbXdYGlFJtXm7y15XcTFL9kxk9hnCYJJ7xJ1E=; b=be+6PThZOiwfN6EahEZRYTZMDlMmoj0z3HEfgug81OThR8HwkHcmJ+rdHvVO0NVbK8 rK0mf9wIrDOpGJmZYXV8u0kSfgpJg35GA8Fmux5IATpGBz8nS0RJNeF7RuY3fF/e6Ljf SEmrEpEVSe5TYuCHORJ64Yk/6MNVBJh8pJScxa5p77GsYOIdiedWyMtfuT6BXQl04QGT 65UWqmRd9JM/TObVBTXZGKbjIV7lp3Z5+yxKJmG1+XlUzkKBs+PzAyt+g1iaO2wEQDkg sNOeRkDX5YKm7hBfTSBOCmR5OUjFz5DF2IASRgwr7u6v7sKn/mZyWIr4Aa1rmL/XHBCg 4xHA== X-Gm-Message-State: AHYfb5gtAn2k4jf6VsqQryJaWOc/QnoVdRl3pJkDY0Ao3pyY+7uFgtxj X1pNmcb+ZJqD13H6ypAp4vcP+0kMbQ== X-Received: by 10.107.166.203 with SMTP id p194mr17535115ioe.48.1502639577432; Sun, 13 Aug 2017 08:52:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.13.3 with HTTP; Sun, 13 Aug 2017 08:52:56 -0700 (PDT) In-Reply-To: <4ca2906e-4117-9773-d2bd-c17e27425a90@gmx.de> References: <4ca2906e-4117-9773-d2bd-c17e27425a90@gmx.de> Date: Sun, 13 Aug 2017 17:52:56 +0200 Message-ID: To: "Christoph M. Becker" Cc: PHP internals Content-Type: multipart/alternative; boundary="001a11414af43d0f710556a48adc" Subject: Re: WDDX serialization and security From: nikita.ppv@gmail.com (Nikita Popov) --001a11414af43d0f710556a48adc Content-Type: text/plain; charset="UTF-8" On Sun, Aug 13, 2017 at 5:08 PM, Christoph M. Becker wrote: > On 11.08.2017 at 15:15, Nikita Popov wrote: > > > Same question here as with unserialize(). > > https://bugs.php.net/bug.php?id=75007 has recently been classified as > not a > > security bug, because WDDX should not be fed untrusted data. > > > > To provide some context here, our WDDX implementation is generally > > vulnerable to object injection (it is possible to create arbitrary > objects, > > resulting in exploitable calls to __wakeup, __destruct, __toString and > > similar), but it does not have the other security issues of unserialize > (in > > particular, no references). > > > > My question is now: What's the point of having this functionality at all? > > As far as I can discern, WDDX seems to be targeted as a data interchange > > format (something where trust generally cannot be assumed), but the way > we > > implement it (with support for object creation), it cannot be used as > such. > > IMHO, implementing support for objects has been a most unfortunate > decision, because WDDX was indeed not designed for that > (). Considering > https://bugs.php.net/bug.php?id=75044 makes the situation worse. > > > As such, these functions seem pretty useless right now. You can't use > them > > for data interchange due to security issues, and it's not the > serialization > > functionality you would use for local storage (for all it's issues, > > serialize() is still a much better choice for that purpose.) > > ACK. > > > I'm wondering if it might be time to remove (i.e. deprecate and move to > > PECL) the wddx extension? > > Hmm, that would leave a pretty useless extension in PECL. An > alternative might be to remove support for objects and the wddx session > serialization handler. This might even be done as bug fix if a > respective ini option would be introduced. We could still move the > extension to PECL afterwards. > I'm only suggesting a move to PECL because that seems to be our standard procedure when removing extensions. Given that WDDX as a data interchange format seems pretty much dead, I don't think it's worth trying to "fix" it in some way, especially a way that breaks backwards compatibility. Even without the additional security considerations, I would say it's long overdue to unbundle this extension. Nikita --001a11414af43d0f710556a48adc--