WDDX serialization and security

  100183
August 11, 2017 13:15 nikita.ppv@gmail.com (Nikita Popov)
Hi internals,

Same question here as with unserialize().
https://bugs.php.net/bug.php?id=75007 has recently been classified as not a
security bug, because WDDX should not be fed untrusted data.

To provide some context here, our WDDX implementation is generally
vulnerable to object injection (it is possible to create arbitrary objects,
resulting in exploitable calls to __wakeup, __destruct, __toString and
similar), but it does not have the other security issues of unserialize (in
particular, no references).

My question is now: What's the point of having this functionality at all?
As far as I can discern, WDDX seems to be targeted as a data interchange
format (something where trust generally cannot be assumed), but the way we
implement it (with support for object creation), it cannot be used as such.

As such, these functions seem pretty useless right now. You can't use them
for data interchange due to security issues, and it's not the serialization
functionality you would use for local storage (for all it's issues,
serialize() is still a much better choice for that purpose.)

I'm wondering if it might be time to remove (i.e. deprecate and move to
PECL) the wddx extension?

Regards,
Nikita
  100184
August 11, 2017 13:37 Remi Collet <remi@fedoraproject.org>
--3ciLa90GqUpLEJls4BGwVBNCFRHKLAWq9
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Le 11/08/2017 =C3=A0 15:15, Nikita Popov a =C3=A9crit :

> I'm wondering if it might be time to remove (i.e. deprecate and move to=
> PECL) the wddx extension?
+1 --3ciLa90GqUpLEJls4BGwVBNCFRHKLAWq9--
  100187
August 11, 2017 15:07 kalle@php.net (Kalle Sommer Nielsen)
On 11 Aug 2017 15.38, "Remi Collet" <remi@fedoraproject.org> wrote:

Le 11/08/2017 à 15:15, Nikita Popov a écrit :

> I'm wondering if it might be time to remove (i.e. deprecate and move to > PECL) the wddx extension?
+1 +2
  100186
August 11, 2017 15:04 sebastian@php.net (Sebastian Bergmann)
Am 11.08.2017 um 15:15 schrieb Nikita Popov:
> I'm wondering if it might be time to remove (i.e. deprecate and move to > PECL) the wddx extension?
I have never seen it used in the wild. So +1 from me for deprecation in 7.2 and removal in 8.0.
  100199
August 13, 2017 15:08 cmbecker69@gmx.de ("Christoph M. Becker")
On 11.08.2017 at 15:15, Nikita Popov wrote:

> Same question here as with unserialize(). > https://bugs.php.net/bug.php?id=75007 has recently been classified as not a > security bug, because WDDX should not be fed untrusted data. > > To provide some context here, our WDDX implementation is generally > vulnerable to object injection (it is possible to create arbitrary objects, > resulting in exploitable calls to __wakeup, __destruct, __toString and > similar), but it does not have the other security issues of unserialize (in > particular, no references). > > My question is now: What's the point of having this functionality at all? > As far as I can discern, WDDX seems to be targeted as a data interchange > format (something where trust generally cannot be assumed), but the way we > implement it (with support for object creation), it cannot be used as such.
IMHO, implementing support for objects has been a most unfortunate decision, because WDDX was indeed not designed for that (<http://xml.coverpages.org/wddx0090-dtd-19980928.txt>). Considering https://bugs.php.net/bug.php?id=75044 makes the situation worse.
> As such, these functions seem pretty useless right now. You can't use them > for data interchange due to security issues, and it's not the serialization > functionality you would use for local storage (for all it's issues, > serialize() is still a much better choice for that purpose.)
ACK.
> I'm wondering if it might be time to remove (i.e. deprecate and move to > PECL) the wddx extension?
Hmm, that would leave a pretty useless extension in PECL. An alternative might be to remove support for objects and the wddx session serialization handler. This might even be done as bug fix if a respective ini option would be introduced. We could still move the extension to PECL afterwards. Anyhow, I've added a respective warning to the docs (http://svn.php.net/viewvc?view=revision&revision=342852). -- Christoph M. Becker
  100200
August 13, 2017 15:43 smalyshev@gmail.com (Stanislav Malyshev)
Hi!

> IMHO, implementing support for objects has been a most unfortunate > decision, because WDDX was indeed not designed for that > (<http://xml.coverpages.org/wddx0090-dtd-19980928.txt>). Considering > https://bugs.php.net/bug.php?id=75044 makes the situation worse. >
Agreed, and it was also implemented as a horrible and undocumented hack :( I wonder if we could drop support for objects from it? Maybe it'd be better than dropping the whole thing? I don't know, we need to ask somebody who actually uses it, and I have no idea who those are... -- Stas Malyshev smalyshev@gmail.com
  100202
August 13, 2017 15:52 nikita.ppv@gmail.com (Nikita Popov)
On Sun, Aug 13, 2017 at 5:08 PM, Christoph M. Becker <cmbecker69@gmx.de>
wrote:

> On 11.08.2017 at 15:15, Nikita Popov wrote: > > > Same question here as with unserialize(). > > https://bugs.php.net/bug.php?id=75007 has recently been classified as > not a > > security bug, because WDDX should not be fed untrusted data. > > > > To provide some context here, our WDDX implementation is generally > > vulnerable to object injection (it is possible to create arbitrary > objects, > > resulting in exploitable calls to __wakeup, __destruct, __toString and > > similar), but it does not have the other security issues of unserialize > (in > > particular, no references). > > > > My question is now: What's the point of having this functionality at all? > > As far as I can discern, WDDX seems to be targeted as a data interchange > > format (something where trust generally cannot be assumed), but the way > we > > implement it (with support for object creation), it cannot be used as > such. > > IMHO, implementing support for objects has been a most unfortunate > decision, because WDDX was indeed not designed for that > (<http://xml.coverpages.org/wddx0090-dtd-19980928.txt>). Considering > https://bugs.php.net/bug.php?id=75044 makes the situation worse. > > > As such, these functions seem pretty useless right now. You can't use > them > > for data interchange due to security issues, and it's not the > serialization > > functionality you would use for local storage (for all it's issues, > > serialize() is still a much better choice for that purpose.) > > ACK. > > > I'm wondering if it might be time to remove (i.e. deprecate and move to > > PECL) the wddx extension? > > Hmm, that would leave a pretty useless extension in PECL. An > alternative might be to remove support for objects and the wddx session > serialization handler. This might even be done as bug fix if a > respective ini option would be introduced. We could still move the > extension to PECL afterwards. >
I'm only suggesting a move to PECL because that seems to be our standard procedure when removing extensions. Given that WDDX as a data interchange format seems pretty much dead, I don't think it's worth trying to "fix" it in some way, especially a way that breaks backwards compatibility. Even without the additional security considerations, I would say it's long overdue to unbundle this extension. Nikita
  100209
August 14, 2017 11:04 zeev@zend.com (Zeev Suraski)
> -----Original Message----- > From: Nikita Popov [mailto:nikita.ppv@gmail.com] > Sent: Sunday, August 13, 2017 6:53 PM > To: Christoph M. Becker <cmbecker69@gmx.de> > Cc: PHP internals <internals@lists.php.net> > Subject: [PHP-DEV] Re: WDDX serialization and security > > On Sun, Aug 13, 2017 at 5:08 PM, Christoph M. Becker <cmbecker69@gmx.de> > wrote: > > > On 11.08.2017 at 15:15, Nikita Popov wrote: > > > > > Same question here as with unserialize(). > > > https://bugs.php.net/bug.php?id=75007 has recently been classified > > > as > > not a > > > security bug, because WDDX should not be fed untrusted data. > > > > > > To provide some context here, our WDDX implementation is generally > > > vulnerable to object injection (it is possible to create arbitrary > > objects, > > > resulting in exploitable calls to __wakeup, __destruct, __toString > > > and similar), but it does not have the other security issues of > > > unserialize > > (in > > > particular, no references). > > > > > > My question is now: What's the point of having this functionality at all? > > > As far as I can discern, WDDX seems to be targeted as a data > > > interchange format (something where trust generally cannot be > > > assumed), but the way > > we > > > implement it (with support for object creation), it cannot be used > > > as > > such. > > > > IMHO, implementing support for objects has been a most unfortunate > > decision, because WDDX was indeed not designed for that > > (<http://xml.coverpages.org/wddx0090-dtd-19980928.txt>). Considering > > https://bugs.php.net/bug.php?id=75044 makes the situation worse. > > > > > As such, these functions seem pretty useless right now. You can't > > > use > > them > > > for data interchange due to security issues, and it's not the > > serialization > > > functionality you would use for local storage (for all it's issues, > > > serialize() is still a much better choice for that purpose.) > > > > ACK. > > > > > I'm wondering if it might be time to remove (i.e. deprecate and move > > > to > > > PECL) the wddx extension? > > > > Hmm, that would leave a pretty useless extension in PECL. An > > alternative might be to remove support for objects and the wddx > > session serialization handler. This might even be done as bug fix if > > a respective ini option would be introduced. We could still move the > > extension to PECL afterwards. > > > > I'm only suggesting a move to PECL because that seems to be our standard > procedure when removing extensions. > > Given that WDDX as a data interchange format seems pretty much dead, I > don't think it's worth trying to "fix" it in some way, especially a way that breaks > backwards compatibility. Even without the additional security considerations, I > would say it's long overdue to unbundle this extension.
I would lean towards doing both: 1. Move it to PECL as you suggest - regardless of the security element, as you say, it's long overdue for unbundling. 2. Disable the object support in it as Christoph and Stas suggest, so that it's not completely useless (i.e. inherently insecure) in PECL. Admittedly I haven't looked at the code but I imagine that can't be too complex..? Given the security implications (the positive ones, that is), I would seriously consider doing that for 7.2 despite the very late point in time. Zeev
  100211
August 14, 2017 23:53 cmbecker69@gmx.de ("Christoph M. Becker")
On 14.08.2017 at 13:04, Zeev Suraski wrote:

> On Sunday, August 13, 2017 6:53 PM, Nikita Popov wrote: > >> On Sun, Aug 13, 2017 at 5:08 PM, Christoph M. Becker >> <cmbecker69@gmx.de> wrote: >> >>> On 11.08.2017 at 15:15, Nikita Popov wrote: >>> >>>> I'm wondering if it might be time to remove (i.e. deprecate and >>>> move to PECL) the wddx extension? >>> >>> Hmm, that would leave a pretty useless extension in PECL. An >>> alternative might be to remove support for objects and the wddx >>> session serialization handler. This might even be done as bug >>> fix if a respective ini option would be introduced. We could >>> still move the extension to PECL afterwards. >> >> I'm only suggesting a move to PECL because that seems to be our >> standard procedure when removing extensions. >> >> Given that WDDX as a data interchange format seems pretty much >> dead, I don't think it's worth trying to "fix" it in some way, >> especially a way that breaks backwards compatibility. Even without >> the additional security considerations, I would say it's long >> overdue to unbundle this extension. > > I would lean towards doing both: > > 1. Move it to PECL as you suggest - > regardless of the security element, as you say, it's long overdue for > unbundling. > > 2. Disable the object support in it as Christoph and Stas > suggest, so that it's not completely useless (i.e. inherently > insecure) in PECL. Admittedly I haven't looked at the code but I > imagine that can't be too complex..?
FWIW, I've did this in my wddx branch, see <https://github.com/cmb69/php-src/tree/wddx>.
> Given the security implications (the positive ones, that is), I would > seriously consider doing that for 7.2 despite the very late point in > time.
It might be sensible to only *deprecate* object unserialization for 7.2, and to (re)move the WDDX extension in 7.3. After all, we already tell users that `wddx_deserialize()` should not be used on untrusted input: * <http://docs.php.net/manual/en/intro.wddx.php> * <http://docs.php.net/manual/en/function.wddx-deserialize.php> Either way, we most certainly need an RFC to proceed… -- Christoph M. Becker