Merge pull request #59856 from nextcloud/backport/59780/stable31

sorbaugh · web-flow · commit 5b741f6f4ff7 · 2026-04-28T09:13:44.000+02:00
[stable31] fix(dav): do not list intermediate files
diff --git a/.github/workflows/files-external-smb-kerberos.yml b/.github/workflows/files-external-smb-kerberos.yml
@@ -56,6 +56,7 @@ jobs:
         with:
           persist-credentials: false
           repository: nextcloud/user_saml
+          ref: stable-6
           path: apps/user_saml
           ref: 'stable-7'
 
diff --git a/apps/dav/lib/Upload/ChunkingV2Plugin.php b/apps/dav/lib/Upload/ChunkingV2Plugin.php
@@ -30,6 +30,7 @@
 use OCP\Lock\ILockingProvider;
 use Sabre\DAV\Exception\BadRequest;
 use Sabre\DAV\Exception\InsufficientStorage;
+use Sabre\DAV\Exception\MethodNotAllowed;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\Exception\PreconditionFailed;
 use Sabre\DAV\ICollection;
@@ -68,14 +69,24 @@ public function __construct(ICacheFactory $cacheFactory) {
 	 * @inheritdoc
 	 */
 	public function initialize(Server $server) {
-		$server->on('afterMethod:MKCOL', [$this, 'afterMkcol']);
+		$server->on('beforeMethod:GET', $this->beforeGet(...));
 		$server->on('beforeMethod:PUT', [$this, 'beforePut']);
 		$server->on('beforeMethod:DELETE', [$this, 'beforeDelete']);
 		$server->on('beforeMove', [$this, 'beforeMove'], 90);
+		$server->on('afterMethod:MKCOL', [$this, 'afterMkcol']);
 
 		$this->server = $server;
 	}
 
+	protected function beforeGet(RequestInterface $request) {
+		$sourceNode = $this->server->tree->getNodeForPath($request->getPath());
+		if (($sourceNode instanceof FutureFile) || ($sourceNode instanceof UploadFile)) {
+			throw new MethodNotAllowed('Reading intermediate uploads is not allowed');
+		}
+
+		return true;
+	}
+
 	/**
 	 * @param string $path
 	 * @param bool $createIfNotExists
diff --git a/apps/dav/lib/Upload/RootCollection.php b/apps/dav/lib/Upload/RootCollection.php
@@ -24,6 +24,7 @@ public function __construct(
 		private IUserSession $userSession,
 	) {
 		parent::__construct($principalBackend, $principalPrefix);
+		$this->disableListing = true;
 	}
 
 	/**
diff --git a/apps/dav/lib/Upload/UploadHome.php b/apps/dav/lib/Upload/UploadHome.php
@@ -14,6 +14,7 @@
 use OCP\Files\NotFoundException;
 use OCP\IUserSession;
 use Sabre\DAV\Exception\Forbidden;
+use Sabre\DAV\Exception\MethodNotAllowed;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\ICollection;
 
@@ -44,9 +45,7 @@ public function getChild($name): UploadFolder {
 	}
 
 	public function getChildren(): array {
-		return array_map(function ($node) {
-			return new UploadFolder($node, $this->cleanupService, $this->getStorage());
-		}, $this->impl()->getChildren());
+		throw new MethodNotAllowed('Listing members of this collection is disabled');
 	}
 
 	public function childExists($name): bool {

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ public function __construct(`
`24`	`24`	`private IUserSession $userSession,`
`25`	`25`	`) {`
`26`	`26`	`parent::__construct($principalBackend, $principalPrefix);`
	`27`	`+ $this->disableListing = true;`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`/**`