From fb6512a20b03728223700512649955cec0146159 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Tue, 21 Sep 2021 10:59:22 +0200
Subject: [PATCH] Do not error during validation of TOTP codes if an invalid
 device is selected

---
 .../user/multifactor/TotpMultifactorMethod.class.php   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
index a547508d1b..44502f2608 100644
--- a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
+++ b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
@@ -326,8 +326,14 @@ final class TotpMultifactorMethod implements IMultifactorMethod
                             }
                         }
                         if ($selectedDevice === null) {
-                            // This should never happen.
-                            $field->addValidationError(new FormFieldValidationError('unreachable'));
+                            // The user sent an invalid value for the device selector.
+                            $field->value('');
+                            $field->addValidationError(new FormFieldValidationError(
+                                'invalidCode',
+                                'wcf.user.security.multifactor.error.invalidCode'
+                            ));
+
+                            return;
                         }
 
                         $totp = new Totp($selectedDevice['secret']);
-- 
2.20.1