From e8c101fac8f12a860af85d8a1f85abb69928d953 Mon Sep 17 00:00:00 2001
From: El Mehdi Abenhazou <mehdiananas007@gmail.com>
Date: Wed, 3 Jun 2026 00:49:40 +0000
Subject: [PATCH] fix(TaskProcessing): restrict allowed_classes in Manager
 cache deserialization

The availableTaskTypes cache stores serialized arrays containing
ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum
values. The unserialize() call did not restrict which classes could
be instantiated.

Restrict deserialization to the three known types:
- OCP\TaskProcessing\ShapeDescriptor
- OCP\TaskProcessing\ShapeEnumValue
- OCP\TaskProcessing\EShapeType

This prevents PHP Object Injection if an attacker gains write access
to the distributed cache backend.

Signed-off-by: El Mehdi Abenhazou <mehdiananas007@gmail.com>
---
 lib/private/TaskProcessing/Manager.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/private/TaskProcessing/Manager.php b/lib/private/TaskProcessing/Manager.php
index 7a39d8c883b..77d9b659099 100644
--- a/lib/private/TaskProcessing/Manager.php
+++ b/lib/private/TaskProcessing/Manager.php
@@ -939,12 +939,12 @@ class Manager implements IManager {
 			$cachedValue = $this->distributedCache->get($cacheKey);
 			if ($cachedValue !== null) {
 				$this->availableTaskTypes = unserialize($cachedValue, [
-				'allowed_classes' => [
-					ShapeDescriptor::class,
-					ShapeEnumValue::class,
-					EShapeType::class,
-				],
-			]);
+					'allowed_classes' => [
+						ShapeDescriptor::class,
+						ShapeEnumValue::class,
+						EShapeType::class,
+					],
+				]);
 			}
 		}
 		// Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.