XananasX7 02a9591463 fix(TaskProcessing): add allowed_classes to unserialize() in Manager cache ... The availableTaskTypes cache stores serialized arrays containing ShapeDescriptor objects, ShapeEnumValue objects, and EShapeType enum values. The unserialize() call did not restrict which classes could be instantiated. Restrict deserialization to the three known types: - OCP\TaskProcessing\ShapeDescriptor - OCP\TaskProcessing\ShapeEnumValue - OCP\TaskProcessing\EShapeType This prevents PHP Object Injection if an attacker gains write access to the distributed cache backend (e.g., a Redis instance without authentication or with weak ACLs), which is a known real-world attack vector in shared hosting and container environments.		2026-06-04 13:13:09 +00:00
..
composer	feat: add permissions mask variant that only masks one directory	2026-04-09 23:54:51 +00:00
l10n	fix(l10n): Update translations from Transifex	2026-06-04 00:24:14 +00:00
private	fix(TaskProcessing): add allowed_classes to unserialize() in Manager cache	2026-06-04 13:13:09 +00:00
public	docs(ocp): Add since tag	2026-06-02 20:12:54 +02:00
unstable	fix(lexicon): missing doc	2025-07-24 15:56:35 -01:00
base.php	fix: add user id header when redirecting to default app	2026-02-19 14:28:07 +00:00
versioncheck.php	feat(PHP): Allow PHP 8.4	2024-11-08 12:59:12 +01:00