diff options
| author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-02-28 09:05:05 +0100 |
|---|---|---|
| committer | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-03-05 13:23:57 +0100 |
| commit | 89b6ba6c4d8f0c36ade9cd05a2d99a0c800b563c (patch) | |
| tree | 21f02deec482b31a98d4a28169b61378dbef4451 | |
| parent | 64b2830c6405e9f164add6d1b29688d2262ec5ef (diff) | |
| download | nextcloud-server-89b6ba6c4d8f0c36ade9cd05a2d99a0c800b563c.tar.gz nextcloud-server-89b6ba6c4d8f0c36ade9cd05a2d99a0c800b563c.zip | |
fix(dav): Handle long absence status earlierbackport/51256/stable28
Validate the request early. Don't let this cause a database error.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
| -rw-r--r-- | apps/dav/lib/Controller/OutOfOfficeController.php | 8 | ||||
| -rw-r--r-- | apps/dav/openapi.json | 5 |
2 files changed, 9 insertions, 4 deletions
diff --git a/apps/dav/lib/Controller/OutOfOfficeController.php b/apps/dav/lib/Controller/OutOfOfficeController.php index a2e7378f32d..f8f6b143b62 100644 --- a/apps/dav/lib/Controller/OutOfOfficeController.php +++ b/apps/dav/lib/Controller/OutOfOfficeController.php @@ -38,6 +38,7 @@ use OCP\IRequest; use OCP\IUserManager; use OCP\IUserSession; use OCP\User\IAvailabilityCoordinator; +use function mb_strlen; /** * @psalm-import-type DAVOutOfOfficeData from ResponseDefinitions @@ -120,10 +121,10 @@ class OutOfOfficeController extends OCSController { * @param string $lastDay Last day of the absence in format `YYYY-MM-DD` * @param string $status Short text that is set as user status during the absence * @param string $message Longer multiline message that is shown to others during the absence - * @return DataResponse<Http::STATUS_OK, DAVOutOfOfficeData, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'firstDay'}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, null, array{}> + * @return DataResponse<Http::STATUS_OK, DAVOutOfOfficeData, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'firstDay'|'statusLength'}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, null, array{}> * * 200: Absence data - * 400: When the first day is not before the last day + * 400: When validation fails, e.g. data range error or the first day is not before the last day * 401: When the user is not logged in */ #[NoAdminRequired] @@ -137,6 +138,9 @@ class OutOfOfficeController extends OCSController { if ($user === null) { return new DataResponse(null, Http::STATUS_UNAUTHORIZED); } + if (mb_strlen($status) > 100) { + return new DataResponse(['error' => 'statusLength'], Http::STATUS_BAD_REQUEST); + } $parsedFirstDay = new DateTimeImmutable($firstDay); $parsedLastDay = new DateTimeImmutable($lastDay); diff --git a/apps/dav/openapi.json b/apps/dav/openapi.json index 2f376a78c44..4408ac3dada 100644 --- a/apps/dav/openapi.json +++ b/apps/dav/openapi.json @@ -569,7 +569,7 @@ } }, "400": { - "description": "When the first day is not before the last day", + "description": "When validation fails, e.g. data range error or the first day is not before the last day", "content": { "application/json": { "schema": { @@ -597,7 +597,8 @@ "error": { "type": "string", "enum": [ - "firstDay" + "firstDay", + "statusLength" ] } } |