1 files changed, 6 insertions, 2 deletions

diff --git a/apps/dav/lib/Controller/OutOfOfficeController.php b/apps/dav/lib/Controller/OutOfOfficeController.php
index a2e7378f32d..f8f6b143b62 100644
--- a/apps/dav/lib/Controller/OutOfOfficeController.php
+++ b/apps/dav/lib/Controller/OutOfOfficeController.php
@@ -38,6 +38,7 @@ use OCP\IRequest;
 use OCP\IUserManager;
 use OCP\IUserSession;
 use OCP\User\IAvailabilityCoordinator;
+use function mb_strlen;
 
 /**
  * @psalm-import-type DAVOutOfOfficeData from ResponseDefinitions
@@ -120,10 +121,10 @@ class OutOfOfficeController extends OCSController {
 	 * @param string $lastDay Last day of the absence in format `YYYY-MM-DD`
 	 * @param string $status Short text that is set as user status during the absence
 	 * @param string $message Longer multiline message that is shown to others during the absence
-	 * @return DataResponse<Http::STATUS_OK, DAVOutOfOfficeData, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'firstDay'}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, null, array{}>
+	 * @return DataResponse<Http::STATUS_OK, DAVOutOfOfficeData, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: 'firstDay'|'statusLength'}, array{}>|DataResponse<Http::STATUS_UNAUTHORIZED, null, array{}>
 	 *
 	 * 200: Absence data
-	 * 400: When the first day is not before the last day
+	 * 400: When validation fails, e.g. data range error or the first day is not before the last day
 	 * 401: When the user is not logged in
 	 */
 	#[NoAdminRequired]
@@ -137,6 +138,9 @@ class OutOfOfficeController extends OCSController {
 		if ($user === null) {
 			return new DataResponse(null, Http::STATUS_UNAUTHORIZED);
 		}
+		if (mb_strlen($status) > 100) {
+			return new DataResponse(['error' => 'statusLength'], Http::STATUS_BAD_REQUEST);
+		}
 
 		$parsedFirstDay = new DateTimeImmutable($firstDay);
 		$parsedLastDay = new DateTimeImmutable($lastDay);