upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-09 08:44:07 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Merge pull request #60884 from XananasX7/security/taskprocessing-unserialize-allowed-classes

Browse source 
fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization
This commit is contained in:
Arthur Schiwon 2026-06-04 14:21:03 +02:00 committed by GitHub
commit 232fb616ea
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/private/TaskProcessing/Manager.php
View file

@ -938,7 +938,13 @@ class Manager implements IManager {
if ($this->availableTaskTypes === null) {
$cachedValue = $this->distributedCache->get($cacheKey);
if ($cachedValue !== null) {
$this->availableTaskTypes = unserialize($cachedValue);
$this->availableTaskTypes = unserialize($cachedValue, [
'allowed_classes' => [
ShapeDescriptor::class,
ShapeEnumValue::class,
EShapeType::class,
],
]);
}
}
// Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.