Deprecate class instance deserialization

cmb69 · cmb69 · commit 0ddc855a83a1 · 2017-08-15T17:40:29.000+02:00
The ability to deserialize class instances is a bad idea for a general
*data* exchange format, because it can lead to remote code execution
vulnerabilities (due to __wakeup() calls). We therefore deprecate this
"feature" to pave the way for its eventual removal.
diff --git a/ext/wddx/tests/005.phpt b/ext/wddx/tests/005.phpt
@@ -44,7 +44,8 @@ session.save_handler=files
 
 	session_destroy();
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: session_decode(): Class instance deserialization is deprecated in %s on line %d
 array(2) {
   ["data"]=>
   array(4) {
diff --git a/ext/wddx/tests/bug27287.phpt b/ext/wddx/tests/bug27287.phpt
@@ -16,5 +16,6 @@ Bug #27287 (segfault with deserializing object data)
 	echo "OK\n";
 
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: wddx_deserialize(): Class instance deserialization is deprecated in %s on line %d
 OK
diff --git a/ext/wddx/tests/bug71335.phpt b/ext/wddx/tests/bug71335.phpt
@@ -26,6 +26,7 @@ var_dump($d);
 ?>
 DONE
 --EXPECTF--
+Deprecated: wddx_deserialize(): Class instance deserialization is deprecated in %s on line %d
 object(stdClass)#%d (1) {
   ["php_class_name"]=>
   string(8) "stdClass"
diff --git a/ext/wddx/tests/bug73331.phpt b/ext/wddx/tests/bug73331.phpt
@@ -9,7 +9,7 @@ $wddx = "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_n
 var_dump(wddx_deserialize($wddx));
 ?>
 --EXPECTF--
+Deprecated: wddx_deserialize(): Class instance deserialization is deprecated in %s on line %d
 
 Warning: wddx_deserialize(): Class pdorow can not be unserialized in %s73331.php on line %d
 NULL
-
diff --git a/ext/wddx/tests/bug73831.phpt b/ext/wddx/tests/bug73831.phpt
@@ -19,5 +19,7 @@ try {
 } catch(Error $e) { echo $e->getMessage(); }
 ?>
 --EXPECTF--
+Deprecated: wddx_deserialize(): Class instance deserialization is deprecated in %s on line %d
+
 Warning: wddx_deserialize(): Class throwable can not be instantiated in %sbug73831.php on line %d
 Cannot instantiate interface Throwable
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
@@ -952,6 +952,8 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 					if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
 						Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data) &&
 						ent2->type == ST_STRUCT && Z_TYPE(ent2->data) == IS_ARRAY) {
+						php_error_docref(NULL, E_DEPRECATED, "Class instance deserialization is deprecated");
+
 						zend_bool incomplete_class = 0;
 
 						zend_str_tolower(Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
