Dav: improved path validation for COPY and MOVE operations#1307
Merged
saikrishnakumarreddy merged 1 commit intoMay 6, 2026
Merged
Conversation
saikrishnakumarreddy
force-pushed
the
fix/dav-self-copy
branch
from
2deef73 to
8e7f1bf
Compare
Contributor
|
The commit message could be less verbose for such a change, but it's good this way too.
improved? Because certain validation was already there.
Such wording is not used, I suggest to change it to something like: Now, after resolving ... or The fix is, after resolving ... Otherwise, looks good. |
saikrishnakumarreddy
force-pushed
the
fix/dav-self-copy
branch
2 times, most recently
from
5c3916b to
ac93c38
Compare
saikrishnakumarreddy
changed the title
saikrishnakumarreddy
force-pushed
the
fix/dav-self-copy
branch
from
ac93c38 to
1308c2b
Compare
Contributor
|
The checks don't catch a path name with multiple consecutive slashes, which maps to the same file. |
saikrishnakumarreddy
force-pushed
the
fix/dav-self-copy
branch
4 times, most recently
from
0f8d70a to
a89a7f8
Compare
pluknet
reviewed
May 5, 2026
saikrishnakumarreddy
force-pushed
the
fix/dav-self-copy
branch
from
a89a7f8 to
bdbc1ee
Compare
pluknet
reviewed
May 6, 2026
The COPY and MOVE handler did not validate whether source and destination paths referred to the same resource or a parent-child collection relationship, which could corrupt or destroy files. Now 403 is returned if paths match or one is a prefix of the other. Reported by Mufeed VH of Winfunc Research.
saikrishnakumarreddy
force-pushed
the
fix/dav-self-copy
branch
from
bdbc1ee to
f756220
Compare
pluknet
approved these changes
May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Improved path validation for COPY and MOVE operations
The COPY and MOVE handler did not validate whether source and
destination paths referred to the same resource or a parent-child
collection relationship, which could corrupt or destroy files.
Now 403 is returned if paths match or one is a prefix of the other.
Testing
Describe how you tested the change (manual testing, automated tests,
regression tests, etc.).
Checklist
Before submitting this PR, please confirm:
subject, references related issue if applicable, and contains only
relevant changes)