fix(TaskProcessing): add allowed_classes to unserialize() in Manager cache

The availableTaskTypes cache stores serialized arrays containing
ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum
values. The unserialize() call did not restrict which classes could
be instantiated.

Restrict deserialization to the three known types:
- OCP\TaskProcessing\ShapeDescriptor
- OCP\TaskProcessing\ShapeEnumValue
- OCP\TaskProcessing\EShapeType

This prevents PHP Object Injection if an attacker gains write access
to the distributed cache backend (e.g., a Redis instance without
authentication or with weak ACLs), which is a known real-world attack
vector in shared hosting and container environments.

lib/private/TaskProcessing/Manager.php

@@ -938,7 +938,13 @@ class Manager implements IManager {
 		if ($this->availableTaskTypes === null) {
 			$cachedValue = $this->distributedCache->get($cacheKey);
 			if ($cachedValue !== null) {
-				$this->availableTaskTypes = unserialize($cachedValue);
+				$this->availableTaskTypes = unserialize($cachedValue, [
+				'allowed_classes' => [
+					ShapeDescriptor::class,
+					ShapeEnumValue::class,
+					EShapeType::class,
+				],
+			]);
 			}
 		}
 		// Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.