Reject malformed UTF-8

dtdesign · dtdesign · commit d8faa7ad03a6 · 2025-11-05T10:56:48.000+01:00
This is common with break-in attempts and just floods the log with garbage.
diff --git a/wcfsetup/install/files/lib/action/ApiAction.class.php b/wcfsetup/install/files/lib/action/ApiAction.class.php
@@ -3,6 +3,7 @@
 namespace wcf\action;
 
 use CuyZ\Valinor\Mapper\MappingError;
+use CuyZ\Valinor\Utility\String\StringFormatterError;
 use FastRoute\ConfigureRoutes;
 use FastRoute\Dispatcher\Result\MethodNotAllowed;
 use FastRoute\Dispatcher\Result\NotMatched;
@@ -98,6 +99,8 @@ static function (ConfigureRoutes $r) {
             return $this->toErrorResponse(RequestFailure::ValidationFailed, $e->getType(), $e->getMessage(), $e->getField());
         } catch (IllegalLinkException) {
             return $this->toErrorResponse(RequestFailure::ValidationFailed, 'assertion_failed');
+        } catch (StringFormatterError) {
+            return $this->toErrorResponse(RequestFailure::InternalError, 'malformed_utf8');
         } catch (\Throwable $e) {
             logThrowable($e);
 
diff --git a/wcfsetup/install/files/lib/http/middleware/HandleValinorMappingErrors.class.php b/wcfsetup/install/files/lib/http/middleware/HandleValinorMappingErrors.class.php
@@ -4,6 +4,7 @@
 
 use CuyZ\Valinor\Mapper\MappingError;
 use CuyZ\Valinor\Mapper\Tree\Message\NodeMessage;
+use CuyZ\Valinor\Utility\String\StringFormatterError;
 use Laminas\Diactoros\Response\HtmlResponse;
 use Laminas\Diactoros\Response\JsonResponse;
 use Psr\Http\Message\ResponseInterface;
@@ -32,10 +33,15 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
     {
         try {
             return $handler->handle($request);
-        } catch (MappingError $e) {
-            $message = "Could not map type '{$e->type()}'.";
-            $errors = $e->messages()
-                ->formatWith(new PrependPath());
+        } catch (MappingError | StringFormatterError $e) {
+            if ($e instanceof MappingError) {
+                $message = "Could not map type '{$e->type()}'.";
+                $errors = $e->messages()
+                    ->formatWith(new PrependPath());
+            } else {
+                $message = "Rejected malformed UTF-8 input.";
+                $errors = [];
+            }
 
             $preferredType = Helper::getPreferredContentType($request, [
                 'application/json',
