fix: block moving files to it's own parent with davbackport/49966/stable30

Signed-off-by: Robin Appelman <robin@icewind.nl>

3 files changed, 25 insertions, 0 deletions

diff --git a/apps/dav/lib/Connector/Sabre/FilesPlugin.php b/apps/dav/lib/Connector/Sabre/FilesPlugin.php
index 2db23f390c8..b7c1335f644 100644
--- a/apps/dav/lib/Connector/Sabre/FilesPlugin.php
+++ b/apps/dav/lib/Connector/Sabre/FilesPlugin.php
@@ -202,6 +202,11 @@ class FilesPlugin extends ServerPlugin {
 		if (!$sourceNodeFileInfo->isDeletable()) {
 			throw new Forbidden($source . ' cannot be deleted');
 		}
+
+		// The source is not allowed to be the parent of the target
+		if (str_starts_with($source, $target . '/')) {
+			throw new Forbidden($source . ' cannot be moved to it\'s parent');
+		}
 	}
 
 	/**
diff --git a/build/integration/dav_features/dav-v2.feature b/build/integration/dav_features/dav-v2.feature
index d62f7d8fa94..baaabc07f20 100644
--- a/build/integration/dav_features/dav-v2.feature
+++ b/build/integration/dav_features/dav-v2.feature
@@ -11,6 +11,16 @@ Feature: dav-v2
 		When User "user0" moves file "/textfile0.txt" to "/FOLDER/textfile0.txt"
 		Then the HTTP status code should be "201"
 
+  Scenario: Moving and overwriting it's parent
+    Given using new dav path
+    And As an "admin"
+    And user "user0" exists
+    And As an "user0"
+    And user "user0" created a folder "/test"
+    And user "user0" created a folder "/test/test"
+    When User "user0" moves file "/test/test" to "/test"
+    Then the HTTP status code should be "403"
+
 	Scenario: download a file with range using new endpoint
 		Given using new dav path
 		And As an "admin"
diff --git a/build/integration/dav_features/webdav-related.feature b/build/integration/dav_features/webdav-related.feature
index fdf633bd580..f97cc8f6f71 100644
--- a/build/integration/dav_features/webdav-related.feature
+++ b/build/integration/dav_features/webdav-related.feature
@@ -38,6 +38,16 @@ Feature: webdav-related
 		Then the HTTP status code should be "204"
 		And Downloaded content when downloading file "/textfile0.txt" with range "bytes=0-6" should be "Welcome"
 
+  Scenario: Moving and overwriting it's parent
+    Given using old dav path
+    And As an "admin"
+    And user "user0" exists
+    And As an "user0"
+    And user "user0" created a folder "/test"
+    And user "user0" created a folder "/test/test"
+    When User "user0" moves file "/test/test" to "/test"
+    Then the HTTP status code should be "403"
+
 	Scenario: Moving a file to a folder with no permissions
 		Given using old dav path
 		And As an "admin"