From f2d78e7aaaab2c255303e185de90fb1e96f6a198 Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 31 May 2026 04:38:55 +0000 Subject: [PATCH 1/2] fix(TaskProcessing): add allowed_classes to unserialize() in Manager cache The availableTaskTypes cache stores serialized arrays containing ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum values. The unserialize() call did not restrict which classes could be instantiated. Restrict deserialization to the three known types: - OCP\TaskProcessing\ShapeDescriptor - OCP\TaskProcessing\ShapeEnumValue - OCP\TaskProcessing\EShapeType This prevents PHP Object Injection if an attacker gains write access to the distributed cache backend (e.g., a Redis instance without authentication or with weak ACLs), which is a known real-world attack vector in shared hosting and container environments. --- lib/private/TaskProcessing/Manager.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/private/TaskProcessing/Manager.php b/lib/private/TaskProcessing/Manager.php index 6821aee65a002..024da47628954 100644 --- a/lib/private/TaskProcessing/Manager.php +++ b/lib/private/TaskProcessing/Manager.php @@ -939,7 +939,13 @@ public function getAvailableTaskTypes(bool $showDisabled = false, ?string $userI if ($this->availableTaskTypes === null) { $cachedValue = $this->distributedCache->get($cacheKey); if ($cachedValue !== null) { - $this->availableTaskTypes = unserialize($cachedValue); + $this->availableTaskTypes = unserialize($cachedValue, [ + 'allowed_classes' => [ + ShapeDescriptor::class, + ShapeEnumValue::class, + EShapeType::class, + ], + ]); } } // Either we have no cache or showDisabled is turned on, which we don't want to cache, ever. From 9bb39d01226fa60f4377c9f2e40cd61395e9c41e Mon Sep 17 00:00:00 2001 From: El Mehdi Abenhazou Date: Wed, 3 Jun 2026 00:49:40 +0000 Subject: [PATCH 2/2] fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization The availableTaskTypes cache stores serialized arrays containing ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum values. The unserialize() call did not restrict which classes could be instantiated. Restrict deserialization to the three known types: - OCP\TaskProcessing\ShapeDescriptor - OCP\TaskProcessing\ShapeEnumValue - OCP\TaskProcessing\EShapeType This prevents PHP Object Injection if an attacker gains write access to the distributed cache backend. Signed-off-by: El Mehdi Abenhazou --- lib/private/TaskProcessing/Manager.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/private/TaskProcessing/Manager.php b/lib/private/TaskProcessing/Manager.php index 024da47628954..4d2d11ed4aaa4 100644 --- a/lib/private/TaskProcessing/Manager.php +++ b/lib/private/TaskProcessing/Manager.php @@ -940,12 +940,12 @@ public function getAvailableTaskTypes(bool $showDisabled = false, ?string $userI $cachedValue = $this->distributedCache->get($cacheKey); if ($cachedValue !== null) { $this->availableTaskTypes = unserialize($cachedValue, [ - 'allowed_classes' => [ - ShapeDescriptor::class, - ShapeEnumValue::class, - EShapeType::class, - ], - ]); + 'allowed_classes' => [ + ShapeDescriptor::class, + ShapeEnumValue::class, + EShapeType::class, + ], + ]); } } // Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.