From 93037a68fc44cd7ee3fe6e0920188a7dfb0d07ba Mon Sep 17 00:00:00 2001
From: Ludwig Lehnert <ludwig@lehnert.dev>
Date: Mon, 12 Jan 2026 21:04:28 +0100
Subject: [PATCH] using dialogs in file browser now (fix 2)

---
 expressjs/src/server.js | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/expressjs/src/server.js b/expressjs/src/server.js
index 79962b0..e7f60a2 100644
--- a/expressjs/src/server.js
+++ b/expressjs/src/server.js
@@ -155,7 +155,7 @@ function isSameOrigin(req) {
   const referer = req.get('referer');
   const header = origin || referer;
   if (!header) {
-    return false;
+    return true;
   }
   try {
     const parsed = new URL(header);
@@ -177,7 +177,7 @@ function csrfGuard(req, res, next) {
   }
 
   const token = req.cookies[csrfCookieName];
-  const provided = req.body?.csrfToken || req.get('x-csrf-token');
+  const provided = req.body?.csrfToken || req.query?.csrfToken || req.get('x-csrf-token');
   if (!token || !provided || token !== provided) {
     if (req.path.startsWith(`${basePath}/api/`)) {
       res.status(403).json({ error: 'CSRF token mismatch' });
@@ -1042,9 +1042,9 @@ app.get(`${basePath}/admin/files`, requireAdminPage, async (req, res) => {
         </div>
         <div>
           <h2>Datei hochladen</h2>
-          <form method="post" action="${baseUrl('/admin/files/upload')}" enctype="multipart/form-data">
-            ${csrfField(res.locals.csrfToken)}
-            <input type="hidden" name="path" value="${escapeHtml(relativePath)}" />
+        <form method="post" action="${baseUrl(`/admin/files/upload?csrfToken=${encodeURIComponent(res.locals.csrfToken)}`)}" enctype="multipart/form-data">
+          ${csrfField(res.locals.csrfToken)}
+          <input type="hidden" name="path" value="${escapeHtml(relativePath)}" />
             <label>
               Datei
               <input type="file" name="file" required />
@@ -1356,6 +1356,7 @@ app.get(`${basePath}/dashboard`, requireAuthPage, async (req, res) => {
 
     <script>
       const uploadForm = document.getElementById('upload-form');
+      const csrfToken = ${JSON.stringify(res.locals.csrfToken)};
       const progress = document.getElementById('upload-progress');
       const status = document.getElementById('upload-status');
       const copyButtons = document.querySelectorAll('.copy-link');
@@ -1365,6 +1366,7 @@ app.get(`${basePath}/dashboard`, requireAuthPage, async (req, res) => {
         progress.value = 0;
         const xhr = new XMLHttpRequest();
         xhr.open('POST', ${JSON.stringify(baseUrl('/api/upload'))});
+        xhr.setRequestHeader('X-CSRF-Token', csrfToken);
         xhr.upload.addEventListener('progress', (e) => {
           if (e.lengthComputable) {
             progress.value = Math.round((e.loaded / e.total) * 100);