Throw `UserInputException` insteadof `InvalidArgumentException` for invalid captchas

Currently, bots are deliberately manipulating the field to provoke an exception. This is prevented with this fix.

diff --git a/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php b/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php
index 6d5941d345b17a2e6b4d095f0b8d53ce37fe02db..cb2a4c9240a62cb596644fc3321511786be03ac3 100644 (file)
--- a/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php
+++ b/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php
@@ -36,7 +36,8 @@ class RecaptchaHandlerV2 extends SingletonFactory {
                        $key = RECAPTCHA_PRIVATEKEY_INVISIBLE;
                }
                else {
-                       throw new \InvalidArgumentException('$type must be either v2 or invisible.');
+                       // The bot modified the `recaptcha-type` form field.
+                       throw new UserInputException('recaptchaString', 'false');
                }
                
                $request = new HTTPRequest('https://www.google.com/recaptcha/api/siteverify?secret='.rawurlencode($key).'&response='.rawurlencode($response).'&remoteip='.rawurlencode(UserUtil::getIpAddress()), ['timeout' => 10]);