feat(ocdav): check for share jail properly

Signed-off-by: jkoberg <jkoberg@owncloud.com>
kobergj · Aug 1, 2024 · 86151c4 · 86151c4
1 parent c10f2ae
commit 86151c4
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/changelog/unreleased/block-overwriting-mountpoints.md b/changelog/unreleased/block-overwriting-mountpoints.md
@@ -2,4 +2,5 @@ Bugfix: Block overwriting mountpoints
 
 This blocks overwriting mountpoints through the webdav COPY api. It is now returning a bad request when attempting to overwrite a mountpoint.
 
+https://github.com/cs3org/reva/pull/4786
 https://github.com/cs3org/reva/pull/4785
diff --git a/internal/http/services/owncloud/ocdav/copy.go b/internal/http/services/owncloud/ocdav/copy.go
@@ -692,10 +692,13 @@ func (s *svc) prepareCopy(ctx context.Context, w http.ResponseWriter, r *http.Re
 
  // we must not allow to override mountpoints - so we check if we have access to the parent. If not this is a mountpoint
  if destInShareJail {
- log.Error().Msg("must not overwrite mount points")
- w.WriteHeader(http.StatusBadRequest)
- _, _ = w.Write([]byte("must not overwrite mount points"))
- return nil
+ dir, file := filepath.Split(dstRef.GetPath())
+ if dir == "/" || dir == "" || file == "" {
+ log.Error().Msg("must not overwrite mount points")
+ w.WriteHeader(http.StatusBadRequest)
+ _, _ = w.Write([]byte("must not overwrite mount points"))
+ return nil
+ }
  }
 
  // delete existing tree when overwriting a directory or replacing a file with a directory