From a03c71b1fde1bc9702eac73d62b257e8aa4a1113 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Wed, 8 Apr 2026 23:09:32 +0200 Subject: [PATCH 1/3] fix(dav): do not read intermediate uploads Signed-off-by: Ferdinand Thiessen --- apps/dav/lib/Upload/ChunkingV2Plugin.php | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/apps/dav/lib/Upload/ChunkingV2Plugin.php b/apps/dav/lib/Upload/ChunkingV2Plugin.php index a2f9f3c5b6dbc..9343011b84b91 100644 --- a/apps/dav/lib/Upload/ChunkingV2Plugin.php +++ b/apps/dav/lib/Upload/ChunkingV2Plugin.php @@ -29,6 +29,7 @@ use OCP\Lock\ILockingProvider; use Sabre\DAV\Exception\BadRequest; use Sabre\DAV\Exception\InsufficientStorage; +use Sabre\DAV\Exception\MethodNotAllowed; use Sabre\DAV\Exception\NotFound; use Sabre\DAV\Exception\PreconditionFailed; use Sabre\DAV\ICollection; @@ -67,14 +68,24 @@ public function __construct(ICacheFactory $cacheFactory) { * @inheritdoc */ public function initialize(Server $server) { - $server->on('afterMethod:MKCOL', [$this, 'afterMkcol']); + $server->on('beforeMethod:GET', $this->beforeGet(...)); $server->on('beforeMethod:PUT', [$this, 'beforePut']); $server->on('beforeMethod:DELETE', [$this, 'beforeDelete']); $server->on('beforeMove', [$this, 'beforeMove'], 90); + $server->on('afterMethod:MKCOL', [$this, 'afterMkcol']); $this->server = $server; } + protected function beforeGet(RequestInterface $request) { + $sourceNode = $this->server->tree->getNodeForPath($request->getPath()); + if (($sourceNode instanceof FutureFile) || ($sourceNode instanceof UploadFile)) { + throw new MethodNotAllowed('Reading intermediate uploads is not allowed'); + } + + return true; + } + /** * @param string $path * @param bool $createIfNotExists From f7c8d8ed539e67952708ccfe541bd30f12cf1220 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Wed, 8 Apr 2026 23:09:51 +0200 Subject: [PATCH 2/3] fix(dav): do not list intermediate upload folders Signed-off-by: Ferdinand Thiessen --- apps/dav/lib/Upload/RootCollection.php | 1 + apps/dav/lib/Upload/UploadHome.php | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/dav/lib/Upload/RootCollection.php b/apps/dav/lib/Upload/RootCollection.php index 9ea2592702b24..dad5f82566a9c 100644 --- a/apps/dav/lib/Upload/RootCollection.php +++ b/apps/dav/lib/Upload/RootCollection.php @@ -24,6 +24,7 @@ public function __construct( private IUserSession $userSession, ) { parent::__construct($principalBackend, $principalPrefix); + $this->disableListing = true; } /** diff --git a/apps/dav/lib/Upload/UploadHome.php b/apps/dav/lib/Upload/UploadHome.php index a6551d4d079fe..569076c209534 100644 --- a/apps/dav/lib/Upload/UploadHome.php +++ b/apps/dav/lib/Upload/UploadHome.php @@ -14,6 +14,7 @@ use OCP\Files\NotFoundException; use OCP\IUserSession; use Sabre\DAV\Exception\Forbidden; +use Sabre\DAV\Exception\MethodNotAllowed; use Sabre\DAV\ICollection; class UploadHome implements ICollection { @@ -43,9 +44,7 @@ public function getChild($name): UploadFolder { } public function getChildren(): array { - return array_map(function ($node) { - return new UploadFolder($node, $this->cleanupService, $this->getStorage()); - }, $this->impl()->getChildren()); + throw new MethodNotAllowed('Listing members of this collection is disabled'); } public function childExists($name): bool { From 2f04a211e7c15e0f8685ff593a1ce0b05e035353 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Wed, 22 Apr 2026 20:47:36 +0200 Subject: [PATCH 3/3] ci: make SSO workflow work on old stable branches Signed-off-by: Ferdinand Thiessen --- .github/workflows/files-external-smb-kerberos.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/files-external-smb-kerberos.yml b/.github/workflows/files-external-smb-kerberos.yml index 8326f6633cabe..7418bf1c76267 100644 --- a/.github/workflows/files-external-smb-kerberos.yml +++ b/.github/workflows/files-external-smb-kerberos.yml @@ -56,6 +56,7 @@ jobs: with: persist-credentials: false repository: nextcloud/user_saml + ref: stable-6 path: apps/user_saml - name: Install user_saml