From 42fc17b1bdeac9135e06189886f7a007f1dc9d20 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Thu, 8 Aug 2024 11:20:40 +0200 Subject: [PATCH] feat(ocdav): block mountpoint copy also in spaces case Signed-off-by: jkoberg --- changelog/unreleased/block-overwriting-mountpoints.md | 1 + internal/http/services/owncloud/ocdav/copy.go | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/changelog/unreleased/block-overwriting-mountpoints.md b/changelog/unreleased/block-overwriting-mountpoints.md index 55b4e005b3..5e9d263b9b 100644 --- a/changelog/unreleased/block-overwriting-mountpoints.md +++ b/changelog/unreleased/block-overwriting-mountpoints.md @@ -2,6 +2,7 @@ Bugfix: Block overwriting mountpoints This blocks overwriting mountpoints through the webdav COPY api. It is now returning a bad request when attempting to overwrite a mountpoint. +https://github.com/cs3org/reva/pull/4802 https://github.com/cs3org/reva/pull/4796 https://github.com/cs3org/reva/pull/4786 https://github.com/cs3org/reva/pull/4785 diff --git a/internal/http/services/owncloud/ocdav/copy.go b/internal/http/services/owncloud/ocdav/copy.go index cccc3c2f08..73e3129093 100644 --- a/internal/http/services/owncloud/ocdav/copy.go +++ b/internal/http/services/owncloud/ocdav/copy.go @@ -697,7 +697,14 @@ func (s *svc) prepareCopy(ctx context.Context, w http.ResponseWriter, r *http.Re // we must not allow to override mountpoints - so we check if we have access to the parent. If not this is a mountpoint if destInShareJail { - dir, file := filepath.Split(dstRef.GetPath()) + res, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: dstStatRes.GetInfo().GetId()}) + if err != nil || res.GetStatus().GetCode() != rpc.Code_CODE_OK { + log.Error().Err(err).Msg("error sending grpc get path request") + w.WriteHeader(http.StatusInternalServerError) + return nil + } + + dir, file := filepath.Split(filepath.Clean(res.GetPath())) if dir == "/" || dir == "" || file == "" { log.Error().Msg("must not overwrite mount points") w.WriteHeader(http.StatusBadRequest)