Merge pull request #59854 from nextcloud/backport/59780/stable33

[stable33] fix(dav): do not list intermediate files

apps/dav/lib/Upload/ChunkingV2Plugin.php

@@ -30,6 +30,7 @@ use OCP\IConfig;
 use OCP\Lock\ILockingProvider;
 use Sabre\DAV\Exception\BadRequest;
 use Sabre\DAV\Exception\InsufficientStorage;
+use Sabre\DAV\Exception\MethodNotAllowed;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\Exception\PreconditionFailed;
 use Sabre\DAV\ICollection;
@@ -68,14 +69,24 @@ class ChunkingV2Plugin extends ServerPlugin {
 	 * @inheritdoc
 	 */
 	public function initialize(Server $server) {
-		$server->on('afterMethod:MKCOL', [$this, 'afterMkcol']);
+		$server->on('beforeMethod:GET', $this->beforeGet(...));
 		$server->on('beforeMethod:PUT', [$this, 'beforePut']);
 		$server->on('beforeMethod:DELETE', [$this, 'beforeDelete']);
 		$server->on('beforeMove', [$this, 'beforeMove'], 90);
+		$server->on('afterMethod:MKCOL', [$this, 'afterMkcol']);
 
 		$this->server = $server;
 	}
 
+	protected function beforeGet(RequestInterface $request) {
+		$sourceNode = $this->server->tree->getNodeForPath($request->getPath());
+		if (($sourceNode instanceof FutureFile) || ($sourceNode instanceof UploadFile)) {
+			throw new MethodNotAllowed('Reading intermediate uploads is not allowed');
+		}
+
+		return true;
+	}
+
 	/**
 	 * @param string $path
 	 * @param bool $createIfNotExists

apps/dav/lib/Upload/RootCollection.php

@@ -26,6 +26,7 @@ class RootCollection extends AbstractPrincipalCollection {
 		private IManager $shareManager,
 	) {
 		parent::__construct($principalBackend, $principalPrefix);
+		$this->disableListing = true;
 	}
 
 	/**

apps/dav/lib/Upload/UploadHome.php

@@ -14,6 +14,7 @@ use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
 use OCP\IUserSession;
 use Sabre\DAV\Exception\Forbidden;
+use Sabre\DAV\Exception\MethodNotAllowed;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\ICollection;
 
@@ -62,14 +63,7 @@ class UploadHome implements ICollection {
 	}
 
 	public function getChildren(): array {
-		return array_map(function ($node) {
-			return new UploadFolder(
-				$node,
-				$this->cleanupService,
-				$this->getStorage(),
-				$this->uid,
-			);
-		}, $this->impl()->getChildren());
+		throw new MethodNotAllowed('Listing members of this collection is disabled');
 	}
 
 	public function childExists($name): bool {

build/integration/filesdrop_features/filesdrop.feature

@@ -199,7 +199,7 @@ Scenario: Files drop allow MKCOL without a nickname
     And Downloading public folder "Mallory/folder"
     Then the HTTP status code should be "405"
     And Downloading public file "Mallory/folder/a.txt"
-    Then the HTTP status code should be "405"
+    Then the HTTP status code should be "404"
 
   Scenario: Files drop requires nickname if file request is enabled
     Given user "user0" exists