From 4a8eaaf21b857e60ee52325b8eda7188c8da0454 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Wed, 24 Apr 2024 14:50:13 +0200 Subject: [PATCH] fix: forbid moving a folder into a subfolder of itself Signed-off-by: Robin Appelman --- lib/private/Files/View.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/private/Files/View.php b/lib/private/Files/View.php index 98b597dbd4d..419b91b7b6d 100644 --- a/lib/private/Files/View.php +++ b/lib/private/Files/View.php @@ -59,6 +59,7 @@ use OCP\Files\Cache\ICacheEntry; use OCP\Files\ConnectionLostException; use OCP\Files\EmptyFileNameException; use OCP\Files\FileNameTooLongException; +use OCP\Files\ForbiddenException; use OCP\Files\InvalidCharacterInPathException; use OCP\Files\InvalidDirectoryException; use OCP\Files\InvalidPathException; @@ -733,6 +734,11 @@ class View { public function rename($source, $target) { $absolutePath1 = Filesystem::normalizePath($this->getAbsolutePath($source)); $absolutePath2 = Filesystem::normalizePath($this->getAbsolutePath($target)); + + if (str_starts_with($absolutePath2, $absolutePath1 . '/')) { + throw new ForbiddenException("Moving a folder into a child folder is forbidden", false); + } + $targetParts = explode('/', $absolutePath2); $targetUser = $targetParts[1] ?? null; $result = false; -- 2.39.5