Deprecate class instance deserialization

The ability to deserialize class instances is a bad idea for a general *data* exchange format, because it can lead to remote code execution vulnerabilities (due to __wakeup() calls). We therefore deprecate this "feature" to pave the way for its eventual removal.
cmb69 · Aug 15, 2017 · 0ddc855 · 0ddc855
1 parent dff9713
commit 0ddc855
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 3 deletions.
diff --git a/ext/wddx/tests/005.phpt b/ext/wddx/tests/005.phpt
@@ -44,7 +44,8 @@ session.save_handler=files
 
 	session_destroy();
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: session_decode(): Class instance deserialization is deprecated in %s on line %d
 array(2) {
   ["data"]=>
   array(4) {

diff --git a/ext/wddx/tests/bug27287.phpt b/ext/wddx/tests/bug27287.phpt
@@ -16,5 +16,6 @@ Bug #27287 (segfault with deserializing object data)
 	echo "OK\n";
 
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: wddx_deserialize(): Class instance deserialization is deprecated in %s on line %d
 OK
diff --git a/ext/wddx/tests/bug71335.phpt b/ext/wddx/tests/bug71335.phpt
@@ -26,6 +26,7 @@ var_dump($d);
 ?>
 DONE
 --EXPECTF--
+Deprecated: wddx_deserialize(): Class instance deserialization is deprecated in %s on line %d
 object(stdClass)#%d (1) {
   ["php_class_name"]=>
   string(8) "stdClass"

diff --git a/ext/wddx/tests/bug73331.phpt b/ext/wddx/tests/bug73331.phpt
@@ -9,7 +9,7 @@ $wddx = "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_n
 var_dump(wddx_deserialize($wddx));
 ?>
 --EXPECTF--
+Deprecated: wddx_deserialize(): Class instance deserialization is deprecated in %s on line %d
 
 Warning: wddx_deserialize(): Class pdorow can not be unserialized in %s73331.php on line %d
 NULL
-
diff --git a/ext/wddx/tests/bug73831.phpt b/ext/wddx/tests/bug73831.phpt
@@ -19,5 +19,7 @@ try {
 } catch(Error $e) { echo $e->getMessage(); }
 ?>
 --EXPECTF--
+Deprecated: wddx_deserialize(): Class instance deserialization is deprecated in %s on line %d
+
 Warning: wddx_deserialize(): Class throwable can not be instantiated in %sbug73831.php on line %d
 Cannot instantiate interface Throwable
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
@@ -952,6 +952,8 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 					if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
 						Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data) &&
 						ent2->type == ST_STRUCT && Z_TYPE(ent2->data) == IS_ARRAY) {
+						php_error_docref(NULL, E_DEPRECATED, "Class instance deserialization is deprecated");
+
 						zend_bool incomplete_class = 0;
 
 						zend_str_tolower(Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));