Hi internals! Due to the recent discussion regarding WDDX serialization and security (<http://marc.info/?l=php-internals&m=150245739612076&w=2>), I've written an RFC that proposes to deprecate class instance deserialization in WDDX:
<https://wiki.php.net/rfc/wddx-deprecate-class-instance-deserialization> I hereby put this RFC under discussion. Note that I have fully intentional left out issues like moving the WDDX extension to PECL, actually removing the class instance deserialization and the `wddx` session serialization handler, to eschew lengthy discussions, because I would like to see the deprecation already happening in *PHP 7.2*, since this is a rather sensitive issue. Of course, just deprecating this "feature" does not directly prevent the associated security issues, but it may help to make developers aware of those, especially because these issues have only been recently be documented (<http://svn.php.net/viewvc?view=revision&revision=342852>). Furthermore, the deprecation is in my opinion a necessary prerequisite for eventual removal of this "feature". I don't think that we can suddenly remove functionality that has been available since PHP 4.0.0. I'm looking forward to your feedback. -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
