From: joshuaruesweg Date: Sat, 20 Mar 2021 15:38:02 +0000 (+0100) Subject: Throw `UserInputException` insteadof `InvalidArgumentException` for invalid captchas X-Git-Tag: 5.3.6~46 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=80d79b25e7c027b48487bc822faf4256534f22e2;p=GitHub%2FWoltLab%2FWCF.git Throw `UserInputException` insteadof `InvalidArgumentException` for invalid captchas Currently, bots are deliberately manipulating the field to provoke an exception. This is prevented with this fix. --- diff --git a/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php b/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php index 6d5941d345..cb2a4c9240 100644 --- a/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php +++ b/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php @@ -36,7 +36,8 @@ class RecaptchaHandlerV2 extends SingletonFactory { $key = RECAPTCHA_PRIVATEKEY_INVISIBLE; } else { - throw new \InvalidArgumentException('$type must be either v2 or invisible.'); + // The bot modified the `recaptcha-type` form field. + throw new UserInputException('recaptchaString', 'false'); } $request = new HTTPRequest('https://www.google.com/recaptcha/api/siteverify?secret='.rawurlencode($key).'&response='.rawurlencode($response).'&remoteip='.rawurlencode(UserUtil::getIpAddress()), ['timeout' => 10]);