upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-09 08:44:07 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization

Browse source 
The availableTaskTypes cache stores serialized arrays containing
ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum
values. The unserialize() call did not restrict which classes could
be instantiated.

Restrict deserialization to the three known types:
- OCP\TaskProcessing\ShapeDescriptor
- OCP\TaskProcessing\ShapeEnumValue
- OCP\TaskProcessing\EShapeType

This prevents PHP Object Injection if an attacker gains write access
to the distributed cache backend.

Signed-off-by: El Mehdi Abenhazou <mehdiananas007@gmail.com>
This commit is contained in:
El Mehdi Abenhazou 2026-06-03 00:49:40 +00:00 committed by Marcel Klehr
parent d0cce3da70
commit e8c101fac8
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
lib/private/TaskProcessing/Manager.php
View file

@ -939,12 +939,12 @@ class Manager implements IManager {
$cachedValue = $this->distributedCache->get($cacheKey);
if ($cachedValue !== null) {
$this->availableTaskTypes = unserialize($cachedValue, [
'allowed_classes' => [
ShapeDescriptor::class,
ShapeEnumValue::class,
EShapeType::class,
],
]);
'allowed_classes' => [
ShapeDescriptor::class,
ShapeEnumValue::class,
EShapeType::class,
],
]);
}
}
// Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.