Do not error during validation of TOTP codes if an invalid device is selected

author Tim Düsterhus <duesterhus@woltlab.com>

Tue, 21 Sep 2021 08:59:22 +0000 (10:59 +0200)

committer Tim Düsterhus <duesterhus@woltlab.com>

Tue, 21 Sep 2021 08:59:22 +0000 (10:59 +0200)
author Tim Düsterhus <duesterhus@woltlab.com>
Tue, 21 Sep 2021 08:59:22 +0000 (10:59 +0200)
committer Tim Düsterhus <duesterhus@woltlab.com>
Tue, 21 Sep 2021 08:59:22 +0000 (10:59 +0200)
diff --git a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php

index a547508d1b1c171e58c7643373079dfcba74459a..44502f260857183fee0a0f05688de8244832c4ad 100644 (file)
--- a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
+++ b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
@@ -326,8 +326,14 @@ final class TotpMultifactorMethod implements IMultifactorMethod
                              }
                          }
                          if ($selectedDevice === null) {
-                            // This should never happen.
-                            $field->addValidationError(new FormFieldValidationError('unreachable'));
+                            // The user sent an invalid value for the device selector.
+                            $field->value('');
+                            $field->addValidationError(new FormFieldValidationError(
+                                'invalidCode',
+                                'wcf.user.security.multifactor.error.invalidCode'
+                            ));
+
+                            return;
                          }
  
                          $totp = new Totp($selectedDevice['secret']);
author	Tim Düsterhus <duesterhus@woltlab.com>
	Tue, 21 Sep 2021 08:59:22 +0000 (10:59 +0200)
committer	Tim Düsterhus <duesterhus@woltlab.com>
	Tue, 21 Sep 2021 08:59:22 +0000 (10:59 +0200)