Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100220 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71897 invoked from network); 15 Aug 2017 16:54:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Aug 2017 16:54:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.19 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.15.19 mout.gmx.net Received: from [212.227.15.19] ([212.227.15.19:57387] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 98/8C-34801-04723995 for ; Tue, 15 Aug 2017 12:54:24 -0400 Received: from [192.168.2.123] ([79.243.116.167]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LngRb-1d6hBi1cjf-00hrfj for ; Tue, 15 Aug 2017 18:54:21 +0200 X-Mozilla-News-Host: news://news.php.net:119 To: PHP internals Message-ID: <72449705-4871-d317-857e-388f53800bbd@gmx.de> Date: Tue, 15 Aug 2017 18:54:22 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:UHCM8mofkAqfv8OktegURQ9IoXVKINRXEUfDHRhkeHQil7G3PAt VvHHp0fR+xNar0g2oQk/SUqGTfSWtr9TxC0qKVnhMN9Z4vltzSZc2bXIdzWJTqogZ2zg+S7 voRPKFGISjiu9uOG0LcOuEPmx8CuxnYVwU3n9nbhUc7aNlrPqjvvW47UQfQjv3SaM7OqV15 xPLU9uaD9dQtKC2DXXJdA== X-UI-Out-Filterresults: notjunk:1;V01:K0:dvVEazcCzQc=:ls+dAHyAPrPmLEAtNUIi4y XZI1xZrFW8yHpP89TxjkUCxXZmmISrWJjG1DMDKABNSfTtDCeXQMq0/CZ+5+kb5LjU4HZ+JKW gmZr8An9NSW6wi+/pdng96C7HW+QJr3otp/HoOe0GJyIn/CrnO/PNaLEyQF1iPmHX/BoEcMDE GTTQXEpDpWVF6pJMYx4XX9gW+dHvZkpEfFZJPWvKAYKLxr95sDUk+QVJp1npeiFVUo8YyLKc9 PDD+CrK/T4FL9n9M9XeHffNhO6a1jb1CRy2YqakXu9FTGZRWPv/JS0zseNwxT8q8kMj+dnz+f KHy2rlJXXj1UiNTs7LNLZbALKAm6353tU/HPvAhEv4afqpFHxRmt304OldTd1WiXeI1nIQq6r JzbxokRds6agc76e9lW4zbwKQFXEQxycGpEQYqm7dEOVczuj3sau0H/xoGNyJZ7CXacUSBPOC x7OPckmOzyM1QkxGzf5HOgS0EYl0i0/BWVQyOo5ewRtlov+deRXBFRF+73EUsYocUXyShz/Xg TdQF/RHBuhT0fxnm/BbsPkml5SDspKmgMTsqO5n45lSouOJsHgVPDGSYlfpEEy1wGJif4CuUC Y3Q4xsVTFkghvmC0sZqmAmlDR3huyFFZgBHZv2I54c578mKVTlIqx3WCc3frmCsKjysmo+f8B yQsngoKr/ViI04xegVzReFX0MJ39GxclFiIzB3abUBbb/h+r7isS6s7Pu2Dy+/6iJ8HlKFTF5 kCVashmK8C7FP+Fv4lavJFCABH0JDQqrMEmTgzWNlXAhbtjg5Cp2gxYefwiuZNpPd48U9We/w 8SPt8BPsMQTbG0Re1An11Ef6A87cpt+zEDantUNlEroxeXs8Bo= Subject: [RFC] Deprecate class instance deserialization in WDDX From: cmbecker69@gmx.de ("Christoph M. Becker") Hi internals! Due to the recent discussion regarding WDDX serialization and security (), I've written an RFC that proposes to deprecate class instance deserialization in WDDX: I hereby put this RFC under discussion. Note that I have fully intentional left out issues like moving the WDDX extension to PECL, actually removing the class instance deserialization and the `wddx` session serialization handler, to eschew lengthy discussions, because I would like to see the deprecation already happening in *PHP 7.2*, since this is a rather sensitive issue. Of course, just deprecating this "feature" does not directly prevent the associated security issues, but it may help to make developers aware of those, especially because these issues have only been recently be documented (). Furthermore, the deprecation is in my opinion a necessary prerequisite for eventual removal of this "feature". I don't think that we can suddenly remove functionality that has been available since PHP 4.0.0. I'm looking forward to your feedback. -- Christoph M. Becker