From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Tue, 21 Sep 2021 08:59:22 +0000 (+0200)
Subject: Do not error during validation of TOTP codes if an invalid device is selected
X-Git-Tag: 5.4.8_dev_1~7
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=fb6512a20b03728223700512649955cec0146159;p=GitHub%2FWoltLab%2FWCF.git

Do not error during validation of TOTP codes if an invalid device is selected
---

diff --git a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
index a547508d1b..44502f2608 100644
--- a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
+++ b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
@@ -326,8 +326,14 @@ final class TotpMultifactorMethod implements IMultifactorMethod
                             }
                         }
                         if ($selectedDevice === null) {
-                            // This should never happen.
-                            $field->addValidationError(new FormFieldValidationError('unreachable'));
+                            // The user sent an invalid value for the device selector.
+                            $field->value('');
+                            $field->addValidationError(new FormFieldValidationError(
+                                'invalidCode',
+                                'wcf.user.security.multifactor.error.invalidCode'
+                            ));
+
+                            return;
                         }
 
                         $totp = new Totp($selectedDevice['secret']);