lehnert.cloud/files
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

using dialogs in file browser now (fix 2)

Browse Source
This commit is contained in:
Ludwig Lehnert
2026-01-12 21:04:28 +01:00
parent 27463bbb9a
commit 93037a68fc
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
expressjs/src/server.js
View File

@@ -155,7 +155,7 @@ function isSameOrigin(req) {
const referer = req.get('referer'); const referer = req.get('referer');
const header = origin || referer; const header = origin || referer;
if (!header) { if (!header) {
return false; return true;
} }
try { try {
const parsed = new URL(header); const parsed = new URL(header);
@@ -177,7 +177,7 @@ function csrfGuard(req, res, next) {
} }
const token = req.cookies[csrfCookieName]; const token = req.cookies[csrfCookieName];
const provided = req.body?.csrfToken || req.get('x-csrf-token'); const provided = req.body?.csrfToken || req.query?.csrfToken || req.get('x-csrf-token');
if (!token || !provided || token !== provided) { if (!token || !provided || token !== provided) {
if (req.path.startsWith(`${basePath}/api/`)) { if (req.path.startsWith(`${basePath}/api/`)) {
res.status(403).json({ error: 'CSRF token mismatch' }); res.status(403).json({ error: 'CSRF token mismatch' });
@@ -1042,7 +1042,7 @@ app.get(`${basePath}/admin/files`, requireAdminPage, async (req, res) => {
</div> </div>
<div> <div>
<h2>Datei hochladen</h2> <h2>Datei hochladen</h2>
<form method="post" action="${baseUrl('/admin/files/upload')}" enctype="multipart/form-data"> <form method="post" action="${baseUrl(`/admin/files/upload?csrfToken=${encodeURIComponent(res.locals.csrfToken)}`)}" enctype="multipart/form-data">
${csrfField(res.locals.csrfToken)} ${csrfField(res.locals.csrfToken)}
<input type="hidden" name="path" value="${escapeHtml(relativePath)}" /> <input type="hidden" name="path" value="${escapeHtml(relativePath)}" />
<label> <label>
@@ -1356,6 +1356,7 @@ app.get(`${basePath}/dashboard`, requireAuthPage, async (req, res) => {
<script> <script>
const uploadForm = document.getElementById('upload-form'); const uploadForm = document.getElementById('upload-form');
const csrfToken = ${JSON.stringify(res.locals.csrfToken)};
const progress = document.getElementById('upload-progress'); const progress = document.getElementById('upload-progress');
const status = document.getElementById('upload-status'); const status = document.getElementById('upload-status');
const copyButtons = document.querySelectorAll('.copy-link'); const copyButtons = document.querySelectorAll('.copy-link');
@@ -1365,6 +1366,7 @@ app.get(`${basePath}/dashboard`, requireAuthPage, async (req, res) => {
progress.value = 0; progress.value = 0;
const xhr = new XMLHttpRequest(); const xhr = new XMLHttpRequest();
xhr.open('POST', ${JSON.stringify(baseUrl('/api/upload'))}); xhr.open('POST', ${JSON.stringify(baseUrl('/api/upload'))});
xhr.setRequestHeader('X-CSRF-Token', csrfToken);
xhr.upload.addEventListener('progress', (e) => { xhr.upload.addEventListener('progress', (e) => {
if (e.lengthComputable) { if (e.lengthComputable) {
progress.value = Math.round((e.loaded / e.total) * 100); progress.value = Math.round((e.loaded / e.total) * 100);