From a8a2529827e1a2b92bb15afd9c792470a75c186a Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 31 May 2026 04:38:55 +0000 Subject: [PATCH 1/2] fix(TaskProcessing): add allowed_classes to unserialize() in Manager cache The availableTaskTypes cache stores serialized arrays containing ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum values. The unserialize() call did not restrict which classes could be instantiated. Restrict deserialization to the three known types: - OCP\TaskProcessing\ShapeDescriptor - OCP\TaskProcessing\ShapeEnumValue - OCP\TaskProcessing\EShapeType This prevents PHP Object Injection if an attacker gains write access to the distributed cache backend (e.g., a Redis instance without authentication or with weak ACLs), which is a known real-world attack vector in shared hosting and container environments. --- lib/private/TaskProcessing/Manager.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/private/TaskProcessing/Manager.php b/lib/private/TaskProcessing/Manager.php index 165cde87bf052..c91de4b1a351b 100644 --- a/lib/private/TaskProcessing/Manager.php +++ b/lib/private/TaskProcessing/Manager.php @@ -871,7 +871,13 @@ public function getAvailableTaskTypes(bool $showDisabled = false, ?string $userI if ($this->availableTaskTypes === null) { $cachedValue = $this->distributedCache->get($cacheKey); if ($cachedValue !== null) { - $this->availableTaskTypes = unserialize($cachedValue); + $this->availableTaskTypes = unserialize($cachedValue, [ + 'allowed_classes' => [ + ShapeDescriptor::class, + ShapeEnumValue::class, + EShapeType::class, + ], + ]); } } // Either we have no cache or showDisabled is turned on, which we don't want to cache, ever. From af5f9aebeba8e442ea298ad505dbf9d1ea88ed04 Mon Sep 17 00:00:00 2001 From: El Mehdi Abenhazou Date: Wed, 3 Jun 2026 00:49:40 +0000 Subject: [PATCH 2/2] fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization The availableTaskTypes cache stores serialized arrays containing ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum values. The unserialize() call did not restrict which classes could be instantiated. Restrict deserialization to the three known types: - OCP\TaskProcessing\ShapeDescriptor - OCP\TaskProcessing\ShapeEnumValue - OCP\TaskProcessing\EShapeType This prevents PHP Object Injection if an attacker gains write access to the distributed cache backend. Signed-off-by: El Mehdi Abenhazou --- lib/private/TaskProcessing/Manager.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/private/TaskProcessing/Manager.php b/lib/private/TaskProcessing/Manager.php index c91de4b1a351b..426a7e8ee1db4 100644 --- a/lib/private/TaskProcessing/Manager.php +++ b/lib/private/TaskProcessing/Manager.php @@ -872,12 +872,12 @@ public function getAvailableTaskTypes(bool $showDisabled = false, ?string $userI $cachedValue = $this->distributedCache->get($cacheKey); if ($cachedValue !== null) { $this->availableTaskTypes = unserialize($cachedValue, [ - 'allowed_classes' => [ - ShapeDescriptor::class, - ShapeEnumValue::class, - EShapeType::class, - ], - ]); + 'allowed_classes' => [ + ShapeDescriptor::class, + ShapeEnumValue::class, + EShapeType::class, + ], + ]); } } // Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.