Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[stable34] fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization#60983

Merged
AndyScherzinger merged 2 commits into
stable34from
backport/60884/stable34
Jun 17, 2026
Merged

[stable34] fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization#60983
AndyScherzinger merged 2 commits into
stable34from
backport/60884/stable34

Conversation

@backportbot

@backportbot backportbot Bot commented Jun 4, 2026

Copy link
Copy Markdown

Backport of PR #60884

@backportbot backportbot Bot requested a review from a team as a code owner June 4, 2026 13:12
@backportbot backportbot Bot requested review from CarlSchwan, artonge, come-nc, kesselb, marcelklehr and salmart-dev and removed request for a team June 4, 2026 13:12
@backportbot backportbot Bot added bug 3. to review Waiting for reviews labels Jun 4, 2026
@backportbot backportbot Bot added this to the Nextcloud 34.0.1 milestone Jun 4, 2026
XananasX7 and others added 2 commits June 17, 2026 19:11
@AndyScherzinger
fix(TaskProcessing): add allowed_classes to unserialize() in Manager …
52d371c 
…cache

The availableTaskTypes cache stores serialized arrays containing
ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum
values. The unserialize() call did not restrict which classes could
be instantiated.

Restrict deserialization to the three known types:
- OCP\TaskProcessing\ShapeDescriptor
- OCP\TaskProcessing\ShapeEnumValue
- OCP\TaskProcessing\EShapeType

This prevents PHP Object Injection if an attacker gains write access
to the distributed cache backend (e.g., a Redis instance without
authentication or with weak ACLs), which is a known real-world attack
vector in shared hosting and container environments.
@XananasX7 @AndyScherzinger
fix(TaskProcessing): restrict allowed_classes in Manager cache deseri…
d878ec6 
…alization

The availableTaskTypes cache stores serialized arrays containing
ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum
values. The unserialize() call did not restrict which classes could
be instantiated.

Restrict deserialization to the three known types:
- OCP\TaskProcessing\ShapeDescriptor
- OCP\TaskProcessing\ShapeEnumValue
- OCP\TaskProcessing\EShapeType

This prevents PHP Object Injection if an attacker gains write access
to the distributed cache backend.

Signed-off-by: El Mehdi Abenhazou <[email protected]>
@AndyScherzinger AndyScherzinger force-pushed the backport/60884/stable34 branch from 9bb39d0 to d878ec6 Compare June 17, 2026 17:11
@nextcloud-bot nextcloud-bot mentioned this pull request Jun 17, 2026
Merged
@AndyScherzinger AndyScherzinger merged commit 495f308 into stable34 Jun 17, 2026
165 of 171 checks passed
@AndyScherzinger AndyScherzinger deleted the backport/60884/stable34 branch June 17, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artonge artonge artonge approved these changes

@miaulalala miaulalala miaulalala approved these changes

@kesselb kesselb Awaiting requested review from kesselb

@marcelklehr marcelklehr Awaiting requested review from marcelklehr

@salmart-dev salmart-dev Awaiting requested review from salmart-dev salmart-dev is a code owner automatically assigned from nextcloud/server-backend

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan CarlSchwan is a code owner automatically assigned from nextcloud/server-backend

@come-nc come-nc Awaiting requested review from come-nc come-nc is a code owner automatically assigned from nextcloud/server-backend

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug

Projects

None yet

Milestone

Nextcloud 34.0.1

Development

Successfully merging this pull request may close these issues.

4 participants

@artonge @miaulalala @AndyScherzinger @XananasX7