From f7b3944aa70aae564d4b76def47fb51d35dffeb9 Mon Sep 17 00:00:00 2001 From: Christian Richter Date: Thu, 14 Mar 2024 11:15:06 +0100 Subject: [PATCH] bump reva Signed-off-by: Christian Richter --- changelog/unreleased/check-parent-on-copy.md | 8 +++++ go.mod | 2 +- go.sum | 4 +-- .../http/services/owncloud/ocdav/copy.go | 31 +++++++++++++++++++ .../http/services/owncloud/ocdav/move.go | 23 ++++++++++++++ vendor/modules.txt | 2 +- 6 files changed, 66 insertions(+), 4 deletions(-) create mode 100644 changelog/unreleased/check-parent-on-copy.md diff --git a/changelog/unreleased/check-parent-on-copy.md b/changelog/unreleased/check-parent-on-copy.md new file mode 100644 index 0000000000..1325b52958 --- /dev/null +++ b/changelog/unreleased/check-parent-on-copy.md @@ -0,0 +1,8 @@ +Bugfix: Prevent copying a file to a parent folder + +When copying a file to a parent folder, the file would be copied to the parent folder, but the file would not be removed from the original folder. + +https://github.com/owncloud/ocis/pull/8649 +https://github.com/owncloud/ocis/issues/1230 +https://github.com/cs3org/reva/pull/4571 +` diff --git a/go.mod b/go.mod index d068ec8b8a..d4216ca36f 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/cenkalti/backoff v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.9.0 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 - github.com/cs3org/reva/v2 v2.19.2-0.20240313154849-352a246529ff + github.com/cs3org/reva/v2 v2.19.2-0.20240318131905-fd7b50caacad github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25 github.com/disintegration/imaging v1.6.2 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e diff --git a/go.sum b/go.sum index 38deb30ad8..b89cc3c5b9 100644 --- a/go.sum +++ b/go.sum @@ -1018,8 +1018,8 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva/v2 v2.19.2-0.20240313154849-352a246529ff h1:XW1j4lf3EWfB9/fKN3D8Q1mehNvrlmGuXdVVzWLtFDs= -github.com/cs3org/reva/v2 v2.19.2-0.20240313154849-352a246529ff/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E= +github.com/cs3org/reva/v2 v2.19.2-0.20240318131905-fd7b50caacad h1:qKgPSuJ9T3AElJbZbrNmUSH51MQq1CgN1acKcyty86Y= +github.com/cs3org/reva/v2 v2.19.2-0.20240318131905-fd7b50caacad/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go index 166c110f3f..995279ee00 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go @@ -559,6 +559,37 @@ func (s *svc) prepareCopy(ctx context.Context, w http.ResponseWriter, r *http.Re return nil } + isParent, err := s.referenceIsChildOf(ctx, s.gatewaySelector, srcRef, dstRef) + if err != nil { + switch err.(type) { + case errtypes.IsNotFound: + isParent = false + case errtypes.IsNotSupported: + log.Error().Err(err).Msg("can not detect recursive copy operation. missing machine auth configuration?") + w.WriteHeader(http.StatusForbidden) + return nil + default: + log.Error().Err(err).Msg("error while trying to detect recursive copy operation") + w.WriteHeader(http.StatusInternalServerError) + return nil + } + } + + if isParent { + w.WriteHeader(http.StatusConflict) + b, err := errors.Marshal(http.StatusBadRequest, "can not copy a folder into its parent", "") + errors.HandleWebdavError(log, w, b, err) + return nil + + } + + if srcRef.Path == dstRef.Path && srcRef.ResourceId == dstRef.ResourceId { + w.WriteHeader(http.StatusConflict) + b, err := errors.Marshal(http.StatusBadRequest, "source and destination are the same", "") + errors.HandleWebdavError(log, w, b, err) + return nil + } + oh := r.Header.Get(net.HeaderOverwrite) overwrite, err := net.ParseOverwrite(oh) if err != nil { diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go index 4706d20e9d..6d1a523bef 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go @@ -162,6 +162,29 @@ func (s *svc) handleMove(ctx context.Context, w http.ResponseWriter, r *http.Req return } + isParent, err := s.referenceIsChildOf(ctx, s.gatewaySelector, src, dst) + if err != nil { + switch err.(type) { + case errtypes.IsNotFound: + isParent = false + case errtypes.IsNotSupported: + log.Error().Err(err).Msg("can not detect recursive move operation. missing machine auth configuration?") + w.WriteHeader(http.StatusForbidden) + return + default: + log.Error().Err(err).Msg("error while trying to detect recursive move operation") + w.WriteHeader(http.StatusInternalServerError) + return + } + } + if isParent { + w.WriteHeader(http.StatusConflict) + b, err := errors.Marshal(http.StatusBadRequest, "can not move a folder into its parent", "") + errors.HandleWebdavError(&log, w, b, err) + return + + } + oh := r.Header.Get(net.HeaderOverwrite) log.Debug().Str("overwrite", oh).Msg("move") diff --git a/vendor/modules.txt b/vendor/modules.txt index 31c0df2157..40c7dea1ef 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -359,7 +359,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.19.2-0.20240313154849-352a246529ff +# github.com/cs3org/reva/v2 v2.19.2-0.20240318131905-fd7b50caacad ## explicit; go 1.21 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime