Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100251 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7471 invoked from network); 18 Aug 2017 10:02:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Aug 2017 10:02:17 -0000 Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.53 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.214.53 mail-it0-f53.google.com Received: from [209.85.214.53] ([209.85.214.53:38749] helo=mail-it0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 67/F3-34801-82BB6995 for ; Fri, 18 Aug 2017 06:02:16 -0400 Received: by mail-it0-f53.google.com with SMTP id o72so4105320ita.1 for ; Fri, 18 Aug 2017 03:02:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fidp5bdlkMimq8TJhzJfuWR1MMfTuY48OHTv/Ag6jd0=; b=oOT+RZBjNmeHCGEl5vKOtfQsKtBGxVH8Mg48UkUNt9riHe7X+jngowWbXMWREW7X+1 H1OhP522RpXMi2QqNYBMPgknFpj/Dq7h/w2kXdc602sooYWUP7VcKR9wg1oygkjYkFYQ yW6KiVZGUxI/iXLuLpeuo2Pff/O8PeznD+PDxHi8EwMZRGfsxrjkxcMUdnfkUJo/qVir VnzVZBUX609ddD1YEcgZmCREHDlPst+I3hnbD0f8Q2Ak6Egi9V1RrdVYt0n0C4ZTUsW1 faQcWECBNO0t4Y786VN2/SUqVTi+UQNy0Iq+dNzruR/wHyiQBQY8WUdsrTI5O4ZWyjH3 ZzXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fidp5bdlkMimq8TJhzJfuWR1MMfTuY48OHTv/Ag6jd0=; b=pFrysAUVsg10g/4yodaR/wTUvd4DdB+9pdMUd6xO1CdfJdHiHoffb05sstpYPRAS8E BCeJgPDQqJoJN0zZAPHkvfNEoYrH7vvMHt7TVE65Gi+pi3C6hm+SfiTccDjCm4qKbbOy NwlNOxdeRqKXjlu6NsPHacBJYiv1IyAD1dGk1PW13K0IbIfzvwAiRsUpyj7qIvCZhk7v vPP/dN60lbJ9QqarqNZZobsPqVyVw5EGQw2EjnRle8PrvINneCtCF5lhYqpVF0Lu1Wo6 ELTjwhkeRcFCTv6U+PuafUHNorgxshgtGLEhaLWmU1Be7V1IVqAFMXoq4T2fJGGgKQkg WDcA== X-Gm-Message-State: AHYfb5jWOfCmnIiIMxBJo9gjKMTMLGy1pGccxo8IHKGXB2fCs0xaJ6By k0di+GHUtR+Ah3jaZnXsh7pV2i1VHHfM X-Received: by 10.36.54.13 with SMTP id l13mr1267233itl.0.1503050533133; Fri, 18 Aug 2017 03:02:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.13.3 with HTTP; Fri, 18 Aug 2017 03:02:12 -0700 (PDT) In-Reply-To: <72449705-4871-d317-857e-388f53800bbd@gmx.de> References: <72449705-4871-d317-857e-388f53800bbd@gmx.de> Date: Fri, 18 Aug 2017 12:02:12 +0200 Message-ID: To: "Christoph M. Becker" Cc: PHP internals Content-Type: multipart/alternative; boundary="001a114057601b639405570439eb" Subject: Re: [PHP-DEV] [RFC] Deprecate class instance deserialization in WDDX From: nikita.ppv@gmail.com (Nikita Popov) --001a114057601b639405570439eb Content-Type: text/plain; charset="UTF-8" On Tue, Aug 15, 2017 at 6:54 PM, Christoph M. Becker wrote: > Hi internals! > > Due to the recent discussion regarding WDDX serialization and security > (), I've > written an RFC that proposes to deprecate class instance deserialization > in WDDX: > > > > I hereby put this RFC under discussion. > > Note that I have fully intentional left out issues like moving the WDDX > extension to PECL, actually removing the class instance deserialization > and the `wddx` session serialization handler, to eschew lengthy > discussions, because I would like to see the deprecation already > happening in *PHP 7.2*, since this is a rather sensitive issue. > As I've already said in the previous thread, I don't think this is the right way to go about this issue. Instead we should push harder to remove this extension entirely. Let me recapitulate what the issues with this extension are: 1. Security (object injection): __wakeup() can be triggered by untrusted input, usually exploitable with enough effort. 2. Security (other): While WDDX doesn't have any of the fundamental issues of unserialize(), the extension has a very bad track record where security is concerned. For two recent relevant bugs see #74145 (segfault on 5.6) and #73173 (memleak). These are by no means isolated occurrences, the wddx extension has seen quite a few security patches in the past. Maybe everything is fixed now? I wouldn't bet on it. 3. Irrelevance: It's 2017, nobody uses WDDX. (With the usual qualifications on "nobody".) On top of that the API is quite ridiculous, with wddx_add_vars() and wddx_serialize_vars() taking variable names (!!!) to serialize. This API must be from a time when register_globals not only still existed but was probably the preferred way of doing things. What this RFC solves is the first point, in a backwards-compatibility breaking way. Even with this resolved, I would still be wary of using this on untrusted input due to the second point. The third point just means that we shouldn't waste time on elaborate solutions. Which is why I would suggest: 1. Deprecate the entire extension in PHP 7.2. 2. Unbundle it in PHP 7.3. 3. (Optional -- someone who needs it can do it) Provide a PHP polyfill implementation for wddx_serialize_value and wddx_deserialize. I'm not going to vote against just deprecating the object deserialization, I just think that it's moving forward unnecessarily slowly. I think everybody will benefit from removing this particular blight sooner rather than later. Of course, just deprecating this "feature" does not directly prevent the > associated security issues, but it may help to make developers aware of > those, especially because these issues have only been recently be > documented (). > Furthermore, the deprecation is in my opinion a necessary prerequisite > for eventual removal of this "feature". I don't think that we can > suddenly remove functionality that has been available since PHP 4.0.0. > It has been documented previously: There is an existing warning in the "Notes" section. Now the warning is repeated twice on the same page ^^ Nikita --001a114057601b639405570439eb--