From 80d79b25e7c027b48487bc822faf4256534f22e2 Mon Sep 17 00:00:00 2001
From: joshuaruesweg <ruesweg@woltlab.com>
Date: Sat, 20 Mar 2021 16:38:02 +0100
Subject: [PATCH] Throw `UserInputException` insteadof
 `InvalidArgumentException` for invalid captchas

Currently, bots are deliberately manipulating the field to provoke an exception. This is prevented with this fix.
---
 .../files/lib/system/recaptcha/RecaptchaHandlerV2.class.php    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php b/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php
index 6d5941d345..cb2a4c9240 100644
--- a/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php
+++ b/wcfsetup/install/files/lib/system/recaptcha/RecaptchaHandlerV2.class.php
@@ -36,7 +36,8 @@ class RecaptchaHandlerV2 extends SingletonFactory {
 			$key = RECAPTCHA_PRIVATEKEY_INVISIBLE;
 		}
 		else {
-			throw new \InvalidArgumentException('$type must be either v2 or invisible.');
+			// The bot modified the `recaptcha-type` form field.
+			throw new UserInputException('recaptchaString', 'false');
 		}
 		
 		$request = new HTTPRequest('https://www.google.com/recaptcha/api/siteverify?secret='.rawurlencode($key).'&response='.rawurlencode($response).'&remoteip='.rawurlencode(UserUtil::getIpAddress()), ['timeout' => 10]);
-- 
2.20.1