From 9193cd664ea9e229765aedb77eadff121ed521c9 Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Mon, 23 Dec 2024 19:24:39 +0100
Subject: fix: block moving files to it's own parent with dav

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 apps/dav/lib/Connector/Sabre/FilesPlugin.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'apps')

diff --git a/apps/dav/lib/Connector/Sabre/FilesPlugin.php b/apps/dav/lib/Connector/Sabre/FilesPlugin.php
index ded3f321e13..a879e264459 100644
--- a/apps/dav/lib/Connector/Sabre/FilesPlugin.php
+++ b/apps/dav/lib/Connector/Sabre/FilesPlugin.php
@@ -203,6 +203,11 @@ class FilesPlugin extends ServerPlugin {
 		if (!$sourceNodeFileInfo->isDeletable()) {
 			throw new Forbidden($source . ' cannot be deleted');
 		}
+
+		// The source is not allowed to be the parent of the target
+		if (str_starts_with($source, $target . '/')) {
+			throw new Forbidden($source . ' cannot be moved to it\'s parent');
+		}
 	}
 
 	/**
-- 
cgit v1.2.3