From 32f9874ae713922e721e27372c6f068ba89488fd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 10 Nov 2020 15:19:39 +0100 Subject: [PATCH] Clear MFA inputs if an invalid code is entered It's not useful preserving an invalid code for the user. --- .../system/user/multifactor/BackupMultifactorMethod.class.php | 2 ++ .../system/user/multifactor/TotpMultifactorMethod.class.php | 3 +++ 2 files changed, 5 insertions(+) diff --git a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php index 4a70764c8b..cdb217e85f 100644 --- a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php +++ b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php @@ -219,6 +219,7 @@ class BackupMultifactorMethod implements IMultifactorMethod { FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId); $attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT1H')); if ($attempts['count'] > self::USER_ATTEMPTS_PER_HOUR) { + $field->value(''); $field->addValidationError(new FormFieldValidationError( 'flood', 'wcf.user.security.multifactor.backup.error.flood', @@ -230,6 +231,7 @@ class BackupMultifactorMethod implements IMultifactorMethod { $userCode = \preg_replace('/\s+/', '', $field->getValue()); if ($this->findValidCode($userCode, $codes) === null) { + $field->value(''); $field->addValidationError(new FormFieldValidationError('invalid')); } })), diff --git a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php index 9ab6969a34..d081f22020 100644 --- a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php +++ b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php @@ -67,6 +67,7 @@ class TotpMultifactorMethod implements IMultifactorMethod { $minCounter = 0; if (!$totp->validateTotpCode($field->getValue(), $minCounter, new \DateTime())) { + $field->value(''); $field->addValidationError(new FormFieldValidationError('invalid')); } $field->minCounter($minCounter); @@ -211,6 +212,7 @@ class TotpMultifactorMethod implements IMultifactorMethod { FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId); $attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT10M')); if ($attempts['count'] > self::USER_ATTEMPTS_PER_TEN_MINUTES) { + $field->value(''); $field->addValidationError(new FormFieldValidationError( 'flood', 'wcf.user.security.multifactor.totp.error.flood', @@ -235,6 +237,7 @@ class TotpMultifactorMethod implements IMultifactorMethod { $totp = new Totp($selectedDevice['secret']); $minCounter = $selectedDevice['minCounter']; if (!$totp->validateTotpCode($field->getValue(), $minCounter, new \DateTime())) { + $field->value(''); $field->addValidationError(new FormFieldValidationError('invalid')); } $field->minCounter($minCounter); -- 2.20.1