From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Mon, 5 Sep 2022 11:58:41 +0000 (+0200)
Subject: Guard against throwing unserialize handlers when unserializing session variables
X-Git-Tag: 5.5.5_dev_1~25
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a4257317ad70e2e9ad322ba1f3449e9395453929;p=GitHub%2FWoltLab%2FWCF.git

Guard against throwing unserialize handlers when unserializing session variables
---

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index 2ab7bb3d7e..8804463c7a 100644
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -625,9 +625,14 @@ final class SessionHandler extends SingletonFactory
             return false;
         }
 
-        $variables = @\unserialize($row['sessionVariables']);
-        // Check whether the session variables became corrupted.
-        if (!\is_array($variables)) {
+        try {
+            $variables = \unserialize($row['sessionVariables']);
+
+            // Check whether the session variables became corrupted.
+            if (!\is_array($variables)) {
+                return false;
+            }
+        } catch (\Throwable $e) {
             return false;
         }