Re: [PHP-DEV] Re: WDDX serialization and security

2017-08-14 Thread Christoph M. Becker
On 14.08.2017 at 13:04, Zeev Suraski wrote: > On Sunday, August 13, 2017 6:53 PM, Nikita Popov wrote: > >> On Sun, Aug 13, 2017 at 5:08 PM, Christoph M. Becker >> wrote: >> >>> On 11.08.2017 at 15:15, Nikita Popov wrote: >>> I'm wondering if it might be time to remove (i.e. deprecate and

RE: [PHP-DEV] Re: WDDX serialization and security

2017-08-14 Thread Zeev Suraski
> -Original Message- > From: Nikita Popov [mailto:nikita@gmail.com] > Sent: Sunday, August 13, 2017 6:53 PM > To: Christoph M. Becker > Cc: PHP internals > Subject: [PHP-DEV] Re: WDDX serialization and security > > On Sun, Aug 13, 2017 at 5:08 PM, Chri

[PHP-DEV] Re: WDDX serialization and security

2017-08-13 Thread Nikita Popov
On Sun, Aug 13, 2017 at 5:08 PM, Christoph M. Becker wrote: > On 11.08.2017 at 15:15, Nikita Popov wrote: > > > Same question here as with unserialize(). > > https://bugs.php.net/bug.php?id=75007 has recently been classified as > not a > > security bug, because WDDX should not be fed untrusted da

Re: [PHP-DEV] Re: WDDX serialization and security

2017-08-13 Thread Stanislav Malyshev
Hi! > IMHO, implementing support for objects has been a most unfortunate > decision, because WDDX was indeed not designed for that > (). Considering > https://bugs.php.net/bug.php?id=75044 makes the situation worse. > Agreed, and it was also

[PHP-DEV] Re: WDDX serialization and security

2017-08-13 Thread Christoph M. Becker
On 11.08.2017 at 15:15, Nikita Popov wrote: > Same question here as with unserialize(). > https://bugs.php.net/bug.php?id=75007 has recently been classified as not a > security bug, because WDDX should not be fed untrusted data. > > To provide some context here, our WDDX implementation is general