From 5f0038a74954d1ea1f409f415387b6232ce8e922 Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Mon, 23 Dec 2024 19:24:39 +0100
Subject: [PATCH] fix: block moving files to it's own parent with dav

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 apps/dav/lib/Connector/Sabre/FilesPlugin.php          |  5 +++++
 build/integration/dav_features/dav-v2.feature         | 10 ++++++++++
 build/integration/dav_features/webdav-related.feature | 10 ++++++++++
 3 files changed, 25 insertions(+)

diff --git a/apps/dav/lib/Connector/Sabre/FilesPlugin.php b/apps/dav/lib/Connector/Sabre/FilesPlugin.php
index a0667f3bd72f4..a264e59c44315 100644
--- a/apps/dav/lib/Connector/Sabre/FilesPlugin.php
+++ b/apps/dav/lib/Connector/Sabre/FilesPlugin.php
@@ -199,6 +199,11 @@ public function checkMove($source, $destination) {
 				throw new Forbidden($source . " cannot be deleted");
 			}
 		}
+
+		// The source is not allowed to be the parent of the target
+		if (str_starts_with($source, $target . '/')) {
+			throw new Forbidden($source . ' cannot be moved to it\'s parent');
+		}
 	}
 
 	/**
diff --git a/build/integration/dav_features/dav-v2.feature b/build/integration/dav_features/dav-v2.feature
index a3ac59578e97e..82d58a908e909 100644
--- a/build/integration/dav_features/dav-v2.feature
+++ b/build/integration/dav_features/dav-v2.feature
@@ -9,6 +9,16 @@ Feature: dav-v2
 		When User "user0" moves file "/textfile0.txt" to "/FOLDER/textfile0.txt"
 		Then the HTTP status code should be "201"
 
+  Scenario: Moving and overwriting it's parent
+    Given using new dav path
+    And As an "admin"
+    And user "user0" exists
+    And As an "user0"
+    And user "user0" created a folder "/test"
+    And user "user0" created a folder "/test/test"
+    When User "user0" moves file "/test/test" to "/test"
+    Then the HTTP status code should be "403"
+
 	Scenario: download a file with range using new endpoint
 		Given using new dav path
 		And As an "admin"
diff --git a/build/integration/dav_features/webdav-related.feature b/build/integration/dav_features/webdav-related.feature
index 28a0cad619b46..6bb600dcb89e9 100644
--- a/build/integration/dav_features/webdav-related.feature
+++ b/build/integration/dav_features/webdav-related.feature
@@ -36,6 +36,16 @@ Feature: webdav-related
 		Then the HTTP status code should be "204"
 		And Downloaded content when downloading file "/textfile0.txt" with range "bytes=0-6" should be "Welcome"
 
+  Scenario: Moving and overwriting it's parent
+    Given using old dav path
+    And As an "admin"
+    And user "user0" exists
+    And As an "user0"
+    And user "user0" created a folder "/test"
+    And user "user0" created a folder "/test/test"
+    When User "user0" moves file "/test/test" to "/test"
+    Then the HTTP status code should be "403"
+
 	Scenario: Moving a file to a folder with no permissions
 		Given using old dav path
 		And As an "admin"