Guard against throwing unserialize handlers when unserializing session variables

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index 2ab7bb3d7e45268283df66b56c561ca1f42c3f6f..8804463c7a9fc6a61e857191459a2164f13dc44e 100644 (file)
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -625,9 +625,14 @@ final class SessionHandler extends SingletonFactory
             return false;
         }
 
-        $variables = @\unserialize($row['sessionVariables']);
-        // Check whether the session variables became corrupted.
-        if (!\is_array($variables)) {
+        try {
+            $variables = \unserialize($row['sessionVariables']);
+
+            // Check whether the session variables became corrupted.
+            if (!\is_array($variables)) {
+                return false;
+            }
+        } catch (\Throwable $e) {
             return false;
         }