Merge pull request #59943 from nextcloud/backport/59864/stable28

sorbaugh · web-flow · commit e7ef9a9c8f13 · 2026-04-28T09:13:55.000+02:00
[stable28] fix(dav): do not list intermediate files
diff --git a/apps/dav/lib/Upload/ChunkingV2Plugin.php b/apps/dav/lib/Upload/ChunkingV2Plugin.php
@@ -46,6 +46,7 @@
 use OCP\Lock\ILockingProvider;
 use Sabre\DAV\Exception\BadRequest;
 use Sabre\DAV\Exception\InsufficientStorage;
+use Sabre\DAV\Exception\MethodNotAllowed;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\Exception\PreconditionFailed;
 use Sabre\DAV\ICollection;
@@ -84,14 +85,24 @@ public function __construct(ICacheFactory $cacheFactory) {
 	 * @inheritdoc
 	 */
 	public function initialize(Server $server) {
-		$server->on('afterMethod:MKCOL', [$this, 'afterMkcol']);
+		$server->on('beforeMethod:GET', [$this, 'beforeGet']);
 		$server->on('beforeMethod:PUT', [$this, 'beforePut']);
 		$server->on('beforeMethod:DELETE', [$this, 'beforeDelete']);
 		$server->on('beforeMove', [$this, 'beforeMove'], 90);
+		$server->on('afterMethod:MKCOL', [$this, 'afterMkcol']);
 
 		$this->server = $server;
 	}
 
+	public function beforeGet(RequestInterface $request) {
+		$sourceNode = $this->server->tree->getNodeForPath($request->getPath());
+		if (($sourceNode instanceof FutureFile) || ($sourceNode instanceof UploadFile)) {
+			throw new MethodNotAllowed('Reading intermediate uploads is not allowed');
+		}
+
+		return true;
+	}
+
 	/**
 	 * @param string $path
 	 * @param bool $createIfNotExists
diff --git a/apps/dav/lib/Upload/RootCollection.php b/apps/dav/lib/Upload/RootCollection.php
@@ -39,6 +39,7 @@ public function __construct(PrincipalBackend\BackendInterface $principalBackend,
 		CleanupService $cleanupService) {
 		parent::__construct($principalBackend, $principalPrefix);
 		$this->cleanupService = $cleanupService;
+		$this->disableListing = true;
 	}
 
 	/**
diff --git a/apps/dav/lib/Upload/UploadHome.php b/apps/dav/lib/Upload/UploadHome.php
@@ -29,6 +29,7 @@
 use OC\Files\View;
 use OCA\DAV\Connector\Sabre\Directory;
 use Sabre\DAV\Exception\Forbidden;
+use Sabre\DAV\Exception\MethodNotAllowed;
 use Sabre\DAV\ICollection;
 
 class UploadHome implements ICollection {
@@ -58,9 +59,7 @@ public function getChild($name): UploadFolder {
 	}
 
 	public function getChildren(): array {
-		return array_map(function ($node) {
-			return new UploadFolder($node, $this->cleanupService, $this->getStorage());
-		}, $this->impl()->getChildren());
+		throw new MethodNotAllowed('Listing members of this collection is disabled');
 	}
 
 	public function childExists($name): bool {

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@ public function __construct(PrincipalBackend\BackendInterface $principalBackend,`
`39`	`39`	`CleanupService $cleanupService) {`
`40`	`40`	`parent::__construct($principalBackend, $principalPrefix);`
`41`	`41`	`$this->cleanupService = $cleanupService;`
	`42`	`+ $this->disableListing = true;`
`42`	`43`	`}`
`43`	`44`
`44`	`45`	`/**`