diff options
| author | Robin Appelman <robin@icewind.nl> | 2024-12-23 19:24:39 +0100 |
|---|---|---|
| committer | Robin Appelman <robin@icewind.nl> | 2025-01-03 15:30:20 +0100 |
| commit | 9193cd664ea9e229765aedb77eadff121ed521c9 (patch) | |
| tree | c34dce30186fa728b5d8cc0093fd320f2300a753 /apps | |
| parent | b16f5a00435e9356cbbd757b7fadb5823d8f903a (diff) | |
| download | nextcloud-server-block-dav-move-parent.tar.gz nextcloud-server-block-dav-move-parent.zip | |
fix: block moving files to it's own parent with davblock-dav-move-parent
Signed-off-by: Robin Appelman <robin@icewind.nl>
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/dav/lib/Connector/Sabre/FilesPlugin.php | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/apps/dav/lib/Connector/Sabre/FilesPlugin.php b/apps/dav/lib/Connector/Sabre/FilesPlugin.php index ded3f321e13..a879e264459 100644 --- a/apps/dav/lib/Connector/Sabre/FilesPlugin.php +++ b/apps/dav/lib/Connector/Sabre/FilesPlugin.php @@ -203,6 +203,11 @@ class FilesPlugin extends ServerPlugin { if (!$sourceNodeFileInfo->isDeletable()) { throw new Forbidden($source . ' cannot be deleted'); } + + // The source is not allowed to be the parent of the target + if (str_starts_with($source, $target . '/')) { + throw new Forbidden($source . ' cannot be moved to it\'s parent'); + } } /** |