diff options
| author | Robin Appelman <robin@icewind.nl> | 2024-04-24 14:50:13 +0200 |
|---|---|---|
| committer | Robin Appelman <robin@icewind.nl> | 2024-04-24 15:14:00 +0200 |
| commit | 943f7fe3500c1271018824e07e7fbef9fd023aab (patch) | |
| tree | 65876ff945890b7a8f1f9cd607a648446ad3f7cb | |
| parent | af11616872fbd817862ad156718bc588765a06ec (diff) | |
| download | nextcloud-server-forbid-moving-subfolder-24.tar.gz nextcloud-server-forbid-moving-subfolder-24.zip | |
fix: forbid moving a folder into a subfolder of itselfforbid-moving-subfolder-24
Signed-off-by: Robin Appelman <robin@icewind.nl>
| -rw-r--r-- | lib/private/Files/View.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/private/Files/View.php b/lib/private/Files/View.php index 299f1e3df99..447c6c79c9b 100644 --- a/lib/private/Files/View.php +++ b/lib/private/Files/View.php @@ -57,6 +57,7 @@ use OCP\Constants; use OCP\Files\Cache\ICacheEntry; use OCP\Files\EmptyFileNameException; use OCP\Files\FileNameTooLongException; +use OCP\Files\ForbiddenException; use OCP\Files\InvalidCharacterInPathException; use OCP\Files\InvalidDirectoryException; use OCP\Files\InvalidPathException; @@ -762,6 +763,11 @@ class View { public function rename($path1, $path2) { $absolutePath1 = Filesystem::normalizePath($this->getAbsolutePath($path1)); $absolutePath2 = Filesystem::normalizePath($this->getAbsolutePath($path2)); + + if (str_starts_with($absolutePath2, $absolutePath1 . '/')) { + throw new ForbiddenException("Moving a folder into a child folder is forbidden", false); + } + $result = false; if ( Filesystem::isValidPath($path2) |