fix: block moving files to it's own parent with dav

Signed-off-by: Robin Appelman <robin@icewind.nl>

Author: icewind1991

apps/dav/lib/Connector/Sabre/FilesPlugin.php

@@ -199,6 +199,11 @@ public function checkMove($source, $destination) {
 				throw new Forbidden($source . " cannot be deleted");
 			}
 		}
+
+		// The source is not allowed to be the parent of the target
+		if (str_starts_with($source, $destination . '/')) {
+			throw new Forbidden($source . ' cannot be moved to it\'s parent');
+		}
 	}
 
 	/**

build/integration/dav_features/dav-v2.feature

@@ -9,6 +9,16 @@ Feature: dav-v2
 		When User "user0" moves file "/textfile0.txt" to "/FOLDER/textfile0.txt"
 		Then the HTTP status code should be "201"
 
+  Scenario: Moving and overwriting it's parent
+    Given using new dav path
+    And As an "admin"
+    And user "user0" exists
+    And As an "user0"
+    And user "user0" created a folder "/test"
+    And user "user0" created a folder "/test/test"
+    When User "user0" moves file "/test/test" to "/test"
+    Then the HTTP status code should be "403"
+
 	Scenario: download a file with range using new endpoint
 		Given using new dav path
 		And As an "admin"

build/integration/dav_features/webdav-related.feature

@@ -36,6 +36,16 @@ Feature: webdav-related
 		Then the HTTP status code should be "204"
 		And Downloaded content when downloading file "/textfile0.txt" with range "bytes=0-6" should be "Welcome"
 
+  Scenario: Moving and overwriting it's parent
+    Given using old dav path
+    And As an "admin"
+    And user "user0" exists
+    And As an "user0"
+    And user "user0" created a folder "/test"
+    And user "user0" created a folder "/test/test"
+    When User "user0" moves file "/test/test" to "/test"
+    Then the HTTP status code should be "403"
+
 	Scenario: Moving a file to a folder with no permissions
 		Given using old dav path
 		And As an "admin"