Roxen.git / server / modules / filesystems / filesystem.pike

version» Context lines:

Roxen.git/server/modules/filesystems/filesystem.pike:1708:    return Roxen.http_status(403, "Permission denied.");    }    Stat dest_st = stat_file(dest, id);    if (dest_st) {    SIMPLE_TRACE_ENTER (this, "COPY: Destination exists");    if (is_same_inode(source_st, dest_st)) {    TRACE_LEAVE("Source and destination are the same inode.");    TRACE_LEAVE("");    return Roxen.http_status(403, "Permission denied.");    } +  if (has_prefix(source, dest)) { +  TRACE_LEAVE("Destination contains source."); +  TRACE_LEAVE(""); +  return Roxen.http_status(403, "Permission denied."); +  }    switch(overwrite) {    case NEVER_OVERWRITE:    TRACE_LEAVE("");    TRACE_LEAVE("");    return Roxen.http_status(412, "Destination already exists.");    case DO_OVERWRITE:    if (!query("delete")) {    TRACE_LEAVE("COPY: Deletion not allowed.");    TRACE_LEAVE("");    return Roxen.http_status(405, "Not allowed.");
Roxen.git/server/modules/filesystems/filesystem.pike:1792:    } else if (source_st->isdir) {    TRACE_LEAVE("Already done (both are directories).");    TRACE_LEAVE("");    return Roxen.http_status(204, "Destination already existed.");    }    break;    }    }       if (source_st->isdir) { +  if (has_prefix(dest, source)) { +  TRACE_LEAVE("Source contains destination."); +  return Roxen.http_status(403, "Permission denied."); +  } +     mkdirs++;    object privs;    SETUID_TRACE("Creating directory/collection", 0);       int code = mkdir(dest_path);    int err_code = errno();       if (code) {    string msg = safe_chmod(dest_path, 0777 & ~(id->misc->umask || 022));    privs = 0;