Use Common::safe_unserialize for session data (#17539)

* Use safe_unserialize in Session

* Allow Notification class in session

* update readme

2 files changed, 4 insertions, 4 deletions

diff --git a/libs/README.md b/libs/README.md
index 999c5c732c..8e911a9e72 100644
--- a/libs/README.md
+++ b/libs/README.md
@@ -13,10 +13,8 @@ third-party libraries:
    - in r3040, exception classes don't follow PEAR naming convention
  * Zend/
    - strip require_once (to support autoloading)
-   - in r3694, fix ZF-10888 and ZF-10835
-   - ZF-10871 - undefined variables when socket support disabled
    - fix #6980 ("Array to string conversion") in `Zend/Session/Exception.php`
-   - fix Zend/Validate using deprecated iconv_set_encoding()
+   - various adjustments to remove unused parts of Zend Framework
    - Make sure sessions work when storing notifications
  * materialize/
    - in materialize.min.css removed the loading of Roboto fonts as the paths do not match and couldn't be loaded. Also
diff --git a/libs/Zend/Session.php b/libs/Zend/Session.php
index f097920613..cc7dae12b3 100644
--- a/libs/Zend/Session.php
+++ b/libs/Zend/Session.php
@@ -521,7 +521,9 @@ class Zend_Session extends Zend_Session_Abstract
         }
 
         if (isset($_SESSION['data']) && is_string($_SESSION['data'])) {
-            $_SESSION = unserialize(base64_decode($_SESSION['data']));
+            $_SESSION = \Piwik\Common::safe_unserialize(base64_decode($_SESSION['data']), [
+                \Piwik\Notification::class
+            ]);
         }
 
         // run validators if they exist