Skip to content

[Security] Restrict unserialize() allowed_classes in TaskProcessing distributed cache#60883

Closed
XananasX7 wants to merge 1 commit into
nextcloud:masterfrom
XananasX7:security/taskprocessing-cache-unserialize
Closed

[Security] Restrict unserialize() allowed_classes in TaskProcessing distributed cache#60883
XananasX7 wants to merge 1 commit into
nextcloud:masterfrom
XananasX7:security/taskprocessing-cache-unserialize

Conversation

@XananasX7

@XananasX7 XananasX7 commented May 31, 2026

Copy link
Copy Markdown
Contributor

Summary

TaskProcessing\Manager::getAvailableTaskTypes() serializes ShapeDescriptor, ShapeEnumValue, and EShapeType objects into the distributed cache and reads them back with bare unserialize() — no allowed_classes restriction.

An attacker who can write to the distributed cache backend can inject a crafted PHP serialized payload containing a gadget chain and achieve Remote Code Execution when getAvailableTaskTypes() is next called.

Attack scenario

  1. Attacker can write to the distributed cache backend (unauthenticated Redis, SSRF to cache server, or a cache-poisoning vulnerability in the application).
  2. Attacker injects a serialized payload using gadget classes loaded by Nextcloud/Symfony (e.g., Monolog, Doctrine, or any other library with exploitable __destruct/__wakeup).
  3. On the next getAvailableTaskTypes() call, the gadget chain fires → RCE.

Fix

Restrict allowed_classes to the three value-object types that are actually stored in this cache entry (ShapeDescriptor, ShapeEnumValue, EShapeType). Any other class in the serialized string becomes a harmless __PHP_Incomplete_Class.

Files changed

  • lib/private/TaskProcessing/Manager.php — add explicit allowed_classes to unserialize()

@XananasX7
security: restrict unserialize() allowed_classes in TaskProcessing cache
9572b8f 
getAvailableTaskTypes() stores a serialized array of ShapeDescriptor,
ShapeEnumValue, and EShapeType values in the distributed cache and reads
them back with bare unserialize() — no allowed_classes restriction.

An attacker who can write to the distributed cache backend (e.g., via an
unauthenticated Redis instance, SSRF to the cache server, or a cache-poisoning
vulnerability) can inject a crafted PHP serialized payload containing a gadget
chain and achieve Remote Code Execution when getAvailableTaskTypes() is next
called.

Restrict allowed_classes to the three value-object types actually stored in
this cache entry (ShapeDescriptor, ShapeEnumValue, EShapeType). Any other
class in the serialized string will become a harmless __PHP_Incomplete_Class
without executing constructors or magic methods.
@XananasX7 XananasX7 requested a review from a team as a code owner May 31, 2026 02:47
@XananasX7 XananasX7 requested review from Altahrim, CarlSchwan, leftybournes and salmart-dev and removed request for a team May 31, 2026 02:47
@susnux susnux added the 3. to review Waiting for reviews label Jun 1, 2026
@susnux susnux added this to the Nextcloud 35 milestone Jun 1, 2026
@joshtrichards

joshtrichards commented Jun 1, 2026

Copy link
Copy Markdown
Member

Closing as a duplicate of #60884

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Altahrim Altahrim Awaiting requested review from Altahrim Altahrim is a code owner automatically assigned from nextcloud/server-backend

@salmart-dev salmart-dev Awaiting requested review from salmart-dev salmart-dev is a code owner automatically assigned from nextcloud/server-backend

@leftybournes leftybournes Awaiting requested review from leftybournes leftybournes is a code owner automatically assigned from nextcloud/server-backend

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan CarlSchwan is a code owner automatically assigned from nextcloud/server-backend

Assignees

No one assigned

Labels

3. to review Waiting for reviews feedback-requested

Projects

None yet

Milestone

Nextcloud 35

Development

Successfully merging this pull request may close these issues.

3 participants

@XananasX7 @joshtrichards @susnux