fix(dav): Handle long absence status earlier

Validate the request early. Don't let this cause a database error. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2026-02-10 22:34:26 -05:00 · 2025-02-28 09:05:05 +01:00 · 2025-02-28 09:05:05 +01:00 · 14a00a4753
commit 14a00a4753
parent 158f60b9f1
2 changed files with 9 additions and 4 deletions
--- a/apps/dav/lib/Controller/OutOfOfficeController.php
+++ b/apps/dav/lib/Controller/OutOfOfficeController.php
@ -21,6 +21,7 @@ use OCP\IRequest;
 use OCP\IUserManager;
 use OCP\IUserSession;
 use OCP\User\IAvailabilityCoordinator;
+use function mb_strlen;

 /**
 * @psalm-import-type DAVOutOfOfficeData from ResponseDefinitions
@ -107,10 +108,10 @@ class OutOfOfficeController extends OCSController {
 	 * @param string $message Longer multiline message that is shown to others during the absence
 	 * @param ?string $replacementUserId User id of the replacement user
 	 * @param ?string $replacementUserDisplayName Display name of the replacement user
-	 * @return DataResponse<Http::STATUS_OK, DAVOutOfOfficeData, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'firstDay'}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, null, array{}>|DataResponse<Http::STATUS_NOT_FOUND, null, array{}>
+	 * @return DataResponse<Http::STATUS_OK, DAVOutOfOfficeData, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'firstDay'|'statusLength'}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, null, array{}>|DataResponse<Http::STATUS_NOT_FOUND, null, array{}>
 	 *
 	 * 200: Absence data
-	 * 400: When the first day is not before the last day
+	 * 400: When validation fails, e.g. data range error or the first day is not before the last day
 	 * 401: When the user is not logged in
 	 * 404: When the replacementUserId was provided but replacement user was not found
 	 */
@ -128,6 +129,9 @@ class OutOfOfficeController extends OCSController {
 		if ($user === null) {
 			return new DataResponse(null, Http::STATUS_UNAUTHORIZED);
 		}
+		if (mb_strlen($status) > 100) {
+			return new DataResponse(['error' => 'statusLength'], Http::STATUS_BAD_REQUEST);
+		}

 		if ($replacementUserId !== null) {
 			$replacementUser = $this->userManager->get($replacementUserId);
--- a/apps/dav/openapi.json
+++ b/apps/dav/openapi.json
@ -793,7 +793,7 @@
                        }
                    },
                    "400": {
-                        "description": "When the first day is not before the last day",
+                        "description": "When validation fails, e.g. data range error or the first day is not before the last day",
                        "content": {
                            "application/json": {
                                "schema": {
@ -821,7 +821,8 @@
                                                        "error": {
                                                            "type": "string",
                                                            "enum": [
-                                                                "firstDay"
+                                                                "firstDay",
+                                                                "statusLength"
                                                            ]
                                                        }
                                                    }