diff options
| author | Robin Appelman <robin@icewind.nl> | 2024-05-27 14:29:34 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-27 14:29:34 +0200 |
| commit | d87c23242b96903d59b978a936179f5441c26773 (patch) | |
| tree | 7c8f9d746bacc56e31ea3deaa4cb0c96f373ef53 /lib | |
| parent | b8aef38a0d8efc4e7e242de0c5471f454781dba8 (diff) | |
| parent | 66d36bffa61f6c173e48680e6e000bbd16ff1614 (diff) | |
| download | nextcloud-server-d87c23242b96903d59b978a936179f5441c26773.tar.gz nextcloud-server-d87c23242b96903d59b978a936179f5441c26773.zip | |
Merge pull request #45014 from nextcloud/forbid-moving-subfolder
fix: forbid moving a folder into a subfolder of itself
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Files/View.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/private/Files/View.php b/lib/private/Files/View.php index 9750186ba9b..0150a3e117a 100644 --- a/lib/private/Files/View.php +++ b/lib/private/Files/View.php @@ -20,6 +20,7 @@ use OCP\Files\Cache\ICacheEntry; use OCP\Files\ConnectionLostException; use OCP\Files\EmptyFileNameException; use OCP\Files\FileNameTooLongException; +use OCP\Files\ForbiddenException; use OCP\Files\InvalidCharacterInPathException; use OCP\Files\InvalidDirectoryException; use OCP\Files\InvalidPathException; @@ -694,6 +695,11 @@ class View { public function rename($source, $target) { $absolutePath1 = Filesystem::normalizePath($this->getAbsolutePath($source)); $absolutePath2 = Filesystem::normalizePath($this->getAbsolutePath($target)); + + if (str_starts_with($absolutePath2, $absolutePath1 . '/')) { + throw new ForbiddenException("Moving a folder into a child folder is forbidden", false); + } + $targetParts = explode('/', $absolutePath2); $targetUser = $targetParts[1] ?? null; $result = false; |