diff options
| author | Stephan Orbaugh <62374139+sorbaugh@users.noreply.github.com> | 2025-01-07 10:24:06 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-07 10:24:06 +0100 |
| commit | b64b106c13bc7082bab5e8111e7e231aaa6efde4 (patch) | |
| tree | c5210570ed0a375b31e318f986c7d4fe36297ac0 | |
| parent | 3ab0d672b118a419f1940428ea392059d5ce8784 (diff) | |
| parent | 9193cd664ea9e229765aedb77eadff121ed521c9 (diff) | |
| download | nextcloud-server-b64b106c13bc7082bab5e8111e7e231aaa6efde4.tar.gz nextcloud-server-b64b106c13bc7082bab5e8111e7e231aaa6efde4.zip | |
Merge pull request #49966 from nextcloud/block-dav-move-parent
fix: block moving files to it's own parent with dav
| -rw-r--r-- | apps/dav/lib/Connector/Sabre/FilesPlugin.php | 5 | ||||
| -rw-r--r-- | build/integration/dav_features/dav-v2.feature | 10 | ||||
| -rw-r--r-- | build/integration/dav_features/webdav-related.feature | 10 |
3 files changed, 25 insertions, 0 deletions
diff --git a/apps/dav/lib/Connector/Sabre/FilesPlugin.php b/apps/dav/lib/Connector/Sabre/FilesPlugin.php index ded3f321e13..a879e264459 100644 --- a/apps/dav/lib/Connector/Sabre/FilesPlugin.php +++ b/apps/dav/lib/Connector/Sabre/FilesPlugin.php @@ -203,6 +203,11 @@ class FilesPlugin extends ServerPlugin { if (!$sourceNodeFileInfo->isDeletable()) { throw new Forbidden($source . ' cannot be deleted'); } + + // The source is not allowed to be the parent of the target + if (str_starts_with($source, $target . '/')) { + throw new Forbidden($source . ' cannot be moved to it\'s parent'); + } } /** diff --git a/build/integration/dav_features/dav-v2.feature b/build/integration/dav_features/dav-v2.feature index 02d90242a05..2c74030c462 100644 --- a/build/integration/dav_features/dav-v2.feature +++ b/build/integration/dav_features/dav-v2.feature @@ -12,6 +12,16 @@ Feature: dav-v2 When User "user0" moves file "/textfile0.txt" to "/FOLDER/textfile0.txt" Then the HTTP status code should be "201" + Scenario: Moving and overwriting it's parent + Given using new dav path + And As an "admin" + And user "user0" exists + And As an "user0" + And user "user0" created a folder "/test" + And user "user0" created a folder "/test/test" + When User "user0" moves file "/test/test" to "/test" + Then the HTTP status code should be "403" + Scenario: download a file with range using new endpoint Given using new dav path And As an "admin" diff --git a/build/integration/dav_features/webdav-related.feature b/build/integration/dav_features/webdav-related.feature index fdf633bd580..f97cc8f6f71 100644 --- a/build/integration/dav_features/webdav-related.feature +++ b/build/integration/dav_features/webdav-related.feature @@ -38,6 +38,16 @@ Feature: webdav-related Then the HTTP status code should be "204" And Downloaded content when downloading file "/textfile0.txt" with range "bytes=0-6" should be "Welcome" + Scenario: Moving and overwriting it's parent + Given using old dav path + And As an "admin" + And user "user0" exists + And As an "user0" + And user "user0" created a folder "/test" + And user "user0" created a folder "/test/test" + When User "user0" moves file "/test/test" to "/test" + Then the HTTP status code should be "403" + Scenario: Moving a file to a folder with no permissions Given using old dav path And As an "admin" |