Merge pull request #60984 from nextcloud/backport/60884/stable33

[stable33] fix(TaskProcessing): restrict allowed_classes in Manager cache deserialization

Author: AndyScherzinger

lib/private/TaskProcessing/Manager.php

@@ -871,7 +871,13 @@ public function getAvailableTaskTypes(bool $showDisabled = false, ?string $userI
 		if ($this->availableTaskTypes === null) {
 			$cachedValue = $this->distributedCache->get($cacheKey);
 			if ($cachedValue !== null) {
-				$this->availableTaskTypes = unserialize($cachedValue);
+				$this->availableTaskTypes = unserialize($cachedValue, [
+					'allowed_classes' => [
+						ShapeDescriptor::class,
+						ShapeEnumValue::class,
+						EShapeType::class,
+					],
+				]);
 			}
 		}
 		// Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.