Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100211
Return-Path: <cmbecker69@gmx.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16408 invoked from network); 14 Aug 2017 23:53:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Aug 2017 23:53:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.18 as permitted sender)
X-PHP-List-Original-Sender: cmbecker69@gmx.de
X-Host-Fingerprint: 212.227.15.18 mout.gmx.net  
Received: from [212.227.15.18] ([212.227.15.18:60687] helo=mout.gmx.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B4/87-34801-4E732995 for <internals@lists.php.net>; Mon, 14 Aug 2017 19:53:09 -0400
Received: from [192.168.2.123] ([79.243.116.167]) by mail.gmx.com (mrgmx002
 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MdKgV-1dynIE1v5n-00IRYf; Tue, 15
 Aug 2017 01:53:01 +0200
To: Zeev Suraski <zeev@zend.com>, Nikita Popov <nikita.ppv@gmail.com>
Cc: PHP internals <internals@lists.php.net>
References: <CAF+90c8WVZAT=kaVqEB-V+kCJdtBV47dMv+uUP2hiecFRPEx0Q@mail.gmail.com>
 <4ca2906e-4117-9773-d2bd-c17e27425a90@gmx.de>
 <CAF+90c8AT-xwWGdVyMTSSAUNPVSF1qv9Sga9z68f=0Zm=457Cw@mail.gmail.com>
 <BY2PR02MB298BD40845853A3A5177B46AC8C0@BY2PR02MB298.namprd02.prod.outlook.com>
Message-ID: <145aa0ba-6450-b8da-e4ed-542f70332034@gmx.de>
Date: Tue, 15 Aug 2017 01:53:03 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <BY2PR02MB298BD40845853A3A5177B46AC8C0@BY2PR02MB298.namprd02.prod.outlook.com>
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:Vj/DxPeFlaUkpCHrj3bsdV85G8hVS5GHfwjgFhj6bFooNmZxfhD
 HHTLJrkc9ZPo0A2jsX8oq5oTcHKuhEzba+/SjuBABrAI6bQKS6Gc5pupl+Ptoe2AuXiThHz
 wi8xQqw+T6Nha/zl1cq4jUmQrYeD7Y+d04Pe07GFPq9JYRHFqRlehNLPC26WrdPehuGib+l
 +81gVjOlTebEsaZFq+/Mg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:B0f2Pwtv6kA=:0KjOnycoRV1n2/5ZNhihf3
 0DagZMC0OKWXXvO9DMfkYDcObiXogE/eeIbg6qRzzkIpTVWdq7JluejqE2DbrkS47Jj5lgZ/i
 hIvUHFr6aWx1+ut33eEg1A1fYlLZmfch5oZInh4+WpQc7K2wJcwQbFRz7TjuznsI6NW6wTfly
 2wn5mqJsIBSz77QnHXNeNIvSBA7Uo5K0wetZtuyiQaiptnJo6vpSJ1l06syxt1sE7TED8V1F8
 Op7vzSFLxaMWEXucTbVk/XBeySnU9ydTUGBwUPzeO9sEj6qMoYTRAkajIS5fu6f9fzwSVJqXv
 oEAsUnOQcLAbNjP+mw4c2Yo0WWvzo45EJHs+4Had6zE+iAjdkEyur0HDevH6N9Oddrh5DrHpH
 YStI4w+mQ/ly1W/D0D+KHo3Jj4u3IoDyYGxc2dd3FMT1OYyeJTpz9WYKKB9Vu7n8EEV91KSaR
 NUfei8ah0hEOdSkthRY0mvLvgnyDuNOdK4/6I7DROyaUUHxi1r1qh3UgonZa1dwGr7cjx+goZ
 VP7Tuz9QoG0+jA6nOdbS0X2Di8QHwSy/X5f2CZLABLKz1fK+LAlA14hr4UkCyk4kj92lFJiU9
 ml6auN4/HTtRnWHGGZidoQwDwREExK6gXAg+os1ZWOa/KG+ok1tPqSK5prVlEWEJjdDzuMJlR
 vdffZxJtqqe7KTUsg9KAmkpGorN7oUU6W3cwwxrI1EXBKQLO36hn3KbanmRCyq+3V3ArYvR+Y
 TxVSJjQhUwmcGDyuBA+XQ2TJ1t1bz4CtQzDjHZ/6PabeJZZ7RqIXmeoqw4VsJBVKtSQieHm58
 k94nB9OmPVFMHkvHE3pXzN4H8lr+TXxhrPbHiAvF0kctjl5BII=
Subject: Re: [PHP-DEV] Re: WDDX serialization and security
From: cmbecker69@gmx.de ("Christoph M. Becker")

On 14.08.2017 at 13:04, Zeev Suraski wrote:

> On Sunday, August 13, 2017 6:53 PM, Nikita Popov wrote:
> 
>> On Sun, Aug 13, 2017 at 5:08 PM, Christoph M. Becker
>> <cmbecker69@gmx.de> wrote:
>> 
>>> On 11.08.2017 at 15:15, Nikita Popov wrote:
>>> 
>>>> I'm wondering if it might be time to remove (i.e. deprecate and
>>>> move to PECL) the wddx extension?
>>> 
>>> Hmm, that would leave a pretty useless extension in PECL.  An 
>>> alternative might be to remove support for objects and the wddx 
>>> session serialization handler.  This might even be done as bug
>>> fix if a respective ini option would be introduced.  We could
>>> still move the extension to PECL afterwards.
>> 
>> I'm only suggesting a move to PECL because that seems to be our
>> standard procedure when removing extensions.
>> 
>> Given that WDDX as a data interchange format seems pretty much
>> dead, I don't think it's worth trying to "fix" it in some way,
>> especially a way that breaks backwards compatibility. Even without
>> the additional security considerations, I would say it's long
>> overdue to unbundle this extension.
> 
> I would lean towards doing both: 
>
> 1. Move it to PECL as you suggest -
> regardless of the security element, as you say, it's long overdue for
> unbundling. 
>
> 2. Disable the object support in it as Christoph and Stas
> suggest, so that it's not completely useless (i.e. inherently
> insecure) in PECL. Admittedly I haven't looked at the code but I
> imagine that can't be too complex..?

FWIW, I've did this in my wddx branch, see
<https://github.com/cmb69/php-src/tree/wddx>.

> Given the security implications (the positive ones, that is), I would
> seriously consider doing that for 7.2 despite the very late point in
> time.

It might be sensible to only *deprecate* object unserialization for 7.2,
and to (re)move the WDDX extension in 7.3.  After all, we already tell
users that `wddx_deserialize()` should not be used on untrusted input:

* <http://docs.php.net/manual/en/intro.wddx.php>
* <http://docs.php.net/manual/en/function.wddx-deserialize.php>

Either way, we most certainly need an RFC to proceed…

-- 
Christoph M. Becker