Merge remote-tracking branch 'origin/master' into develop

2026-02-28 01:21:13 +01:00 · 2022-08-19 10:50:59 -04:00
parent 0ba03950e9 bc37a5c516
commit 20ebf0a1e0
6 changed files with 39 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,34 @@
+#### v2.4.4 (2022-08-18)
+
+##### Chores
+
+*  incrementing version number - v2.4.3 (9c647c6c)
+*  update changelog for v2.4.3 (06da15a5)
+*  incrementing version number - v2.4.2 (3aa7b855)
+*  incrementing version number - v2.4.1 (60cbd148)
+*  incrementing version number - v2.4.0 (4834cde3)
+*  incrementing version number - v2.3.1 (d2425942)
+*  incrementing version number - v2.3.0 (046ea120)
+
+##### Bug Fixes
+
+*  missing req, closes #10847 (489fb3a3)
+
+#### v2.4.3 (2022-08-18)
+
+##### Chores
+
+*  incrementing version number - v2.4.2 (3aa7b855)
+*  update changelog for v2.4.2 (ba7a3466)
+*  incrementing version number - v2.4.1 (60cbd148)
+*  incrementing version number - v2.4.0 (4834cde3)
+*  incrementing version number - v2.3.1 (d2425942)
+*  incrementing version number - v2.3.0 (046ea120)
+
+##### Bug Fixes
+
+*  #10845, disallow inline viewing of uploaded html files (4dc7fa05)
+
 #### v2.4.2 (2022-08-17)

 ##### Chores
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
    "name": "nodebb",
    "license": "GPL-3.0",
    "description": "NodeBB Forum",
-    "version": "2.4.2",
+    "version": "2.4.4",
    "homepage": "http://www.nodebb.org",
    "repository": {
        "type": "git",
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -305,7 +305,7 @@ async function isPrivilegedOrSelfAndPasswordMatch(caller, data) {

 async function processDeletion({ uid, method, password, caller }) {
 	const isTargetAdmin = await user.isAdministrator(uid);
-	const isSelf = parseInt(uid, 10) === caller.uid;
+	const isSelf = parseInt(uid, 10) === parseInt(caller.uid, 10);
 	const isAdmin = await user.isAdministrator(caller.uid);

 	if (isSelf && meta.config.allowAccountDelete !== 1) {
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -471,7 +471,7 @@ authenticationController.logout = async function (req, res, next) {

 	try {
 		await user.auth.revokeSession(sessionID, uid);
-		await logoutAsync();
+		await logoutAsync(req);

 		await destroyAsync(req);
 		res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -214,12 +214,13 @@ middleware.buildSkinAsset = helpers.try(async (req, res, next) => {
 	res.status(200).type('text/css').send(css);
 });

-middleware.trimUploadTimestamps = function trimUploadTimestamps(req, res, next) {
-	// Check match
+middleware.addUploadHeaders = function addUploadHeaders(req, res, next) {
+	// Trim uploaded files' timestamps when downloading + force download if html
 	let basename = path.basename(req.path);
+	const extname = path.extname(req.path);
 	if (req.path.startsWith('/uploads/files/') && middleware.regexes.timestampedUpload.test(basename)) {
 		basename = basename.slice(14);
-		res.header('Content-Disposition', `inline; filename="${basename}"`);
+		res.header('Content-Disposition', `${extname.startsWith('.htm') ? 'attachment' : 'inline'}; filename="${basename}"`);
 	}

 	next();
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -182,7 +182,7 @@ function addCoreRoutes(app, router, middleware, mounts) {
 	}

 	statics.forEach((obj) => {
-		app.use(relativePath + obj.route, middleware.trimUploadTimestamps, express.static(obj.path, staticOptions));
+		app.use(relativePath + obj.route, middleware.addUploadHeaders, express.static(obj.path, staticOptions));
 	});
 	app.use(`${relativePath}/uploads`, (req, res) => {
 		res.redirect(`${relativePath}/assets/uploads${req.path}?${meta.config['cache-buster']}`);