diff options
| author | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-02-28 09:05:05 +0100 |
|---|---|---|
| committer | Christoph Wurst <christoph@winzerhof-wurst.at> | 2025-03-05 09:43:29 +0100 |
| commit | c91dee747b2015c387c8c80f7ae3c192c954155b (patch) | |
| tree | 9edcfaf53aedd896323bdba00c74d04712606fe4 | |
| parent | a4760ef906ba897f19669898466bdb5c48703ec0 (diff) | |
| download | nextcloud-server-fix/dav/absence-status-too-long.tar.gz nextcloud-server-fix/dav/absence-status-too-long.zip | |
fix(dav): Handle long absence status earlierfix/dav/absence-status-too-long
Validate the request early. Don't let this cause a database error.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
| -rw-r--r-- | apps/dav/lib/Controller/OutOfOfficeController.php | 8 | ||||
| -rw-r--r-- | apps/dav/openapi.json | 5 |
2 files changed, 9 insertions, 4 deletions
diff --git a/apps/dav/lib/Controller/OutOfOfficeController.php b/apps/dav/lib/Controller/OutOfOfficeController.php index e8698992949..576c2acedfa 100644 --- a/apps/dav/lib/Controller/OutOfOfficeController.php +++ b/apps/dav/lib/Controller/OutOfOfficeController.php @@ -21,6 +21,7 @@ use OCP\IRequest; use OCP\IUserManager; use OCP\IUserSession; use OCP\User\IAvailabilityCoordinator; +use function mb_strlen; /** * @psalm-import-type DAVOutOfOfficeData from ResponseDefinitions @@ -107,10 +108,10 @@ class OutOfOfficeController extends OCSController { * @param string $message Longer multiline message that is shown to others during the absence * @param ?string $replacementUserId User id of the replacement user * @param ?string $replacementUserDisplayName Display name of the replacement user - * @return DataResponse<Http::STATUS_OK, DAVOutOfOfficeData, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'firstDay'}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, null, array{}>|DataResponse<Http::STATUS_NOT_FOUND, null, array{}> + * @return DataResponse<Http::STATUS_OK, DAVOutOfOfficeData, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'firstDay'|'statusLength'}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, null, array{}>|DataResponse<Http::STATUS_NOT_FOUND, null, array{}> * * 200: Absence data - * 400: When the first day is not before the last day + * 400: When validation fails, e.g. data range error or the first day is not before the last day * 401: When the user is not logged in * 404: When the replacementUserId was provided but replacement user was not found */ @@ -128,6 +129,9 @@ class OutOfOfficeController extends OCSController { if ($user === null) { return new DataResponse(null, Http::STATUS_UNAUTHORIZED); } + if (mb_strlen($status) > 100) { + return new DataResponse(['error' => 'statusLength'], Http::STATUS_BAD_REQUEST); + } if ($replacementUserId !== null) { $replacementUser = $this->userManager->get($replacementUserId); diff --git a/apps/dav/openapi.json b/apps/dav/openapi.json index cb7dc82c039..98d5007e376 100644 --- a/apps/dav/openapi.json +++ b/apps/dav/openapi.json @@ -793,7 +793,7 @@ } }, "400": { - "description": "When the first day is not before the last day", + "description": "When validation fails, e.g. data range error or the first day is not before the last day", "content": { "application/json": { "schema": { @@ -821,7 +821,8 @@ "error": { "type": "string", "enum": [ - "firstDay" + "firstDay", + "statusLength" ] } } |