Merge pull request #60884 from XananasX7/security/taskprocessing-unserialize-allowed-classes

fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization

Author: blizzz

lib/private/TaskProcessing/Manager.php

@@ -938,7 +938,13 @@ public function getAvailableTaskTypes(bool $showDisabled = false, ?string $userI
 		if ($this->availableTaskTypes === null) {
 			$cachedValue = $this->distributedCache->get($cacheKey);
 			if ($cachedValue !== null) {
-				$this->availableTaskTypes = unserialize($cachedValue);
+				$this->availableTaskTypes = unserialize($cachedValue, [
+					'allowed_classes' => [
+						ShapeDescriptor::class,
+						ShapeEnumValue::class,
+						EShapeType::class,
+					],
+				]);
 			}
 		}
 		// Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.