upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-13 02:31:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 20
nextcloud/lib/private/TaskProcessing
History
El Mehdi Abenhazou af5f9aebeb fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization 
The availableTaskTypes cache stores serialized arrays containing
ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum
values. The unserialize() call did not restrict which classes could
be instantiated.

Restrict deserialization to the three known types:
- OCP\TaskProcessing\ShapeDescriptor
- OCP\TaskProcessing\ShapeEnumValue
- OCP\TaskProcessing\EShapeType

This prevents PHP Object Injection if an attacker gains write access
to the distributed cache backend.

Signed-off-by: El Mehdi Abenhazou <mehdiananas007@gmail.com>
2026-06-04 13:12:54 +00:00
..
Db feat(taskprocessing): add a boolean 'includeWatermark' to taskprocessing tasks and pass it to ISynchronousWatermarkingProvider::process 2025-11-27 11:32:08 +01:00
Manager.php fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization 2026-06-04 13:12:54 +00:00
RemoveOldTasksBackgroundJob.php feat(taskprocessing): avoid generator cascade 2025-08-07 15:12:22 +02:00
SynchronousBackgroundJob.php chore: apply new CSFixer rules 2025-07-01 16:26:50 +02:00