fix(repair): restrict unserialize() in RemoveBrokenProperties

RemoveBrokenProperties::run() calls unserialize() on the property value column without restricting allowed_classes. The result is only compared against false to identify broken rows, so no class instantiation is needed. As written though, magic methods (__wakeup/__destruct) on any class referenced by the serialized payload still execute.

The runtime decoder for the same column already restricts deserialization. See apps/dav/lib/DAV/CustomPropertiesBackend.php:675-678, which passes ['allowed_classes' => self::ALLOWED_SERIALIZED_CLASSES]. This change applies the same hardening to the repair step. It uses ['allowed_classes' => false] since the unserialized value is never used, only its truthiness is checked.

No behavior change for valid or broken rows.  

Signed-off-by: Eli Peter <54954007+elicpeter@users.noreply.github.com>

Author: elicpeter

lib/private/Repair/RemoveBrokenProperties.php

@@ -37,7 +37,7 @@ public function run(IOutput $output): void {
 		$brokenIds = [];
 		while ($entry = $result->fetch()) {
 			if (!empty($entry['propertyvalue'])) {
-				$object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']));
+				$object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']), ['allowed_classes' => false]);
 				if ($object === false) {
 					$brokenIds[] = $entry['id'];
 				}