diff --git a/CHANGELOG.md b/CHANGELOG.md index f9df59dc5b..37ac7ed189 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,34 @@ +#### v2.4.4 (2022-08-18) + +##### Chores + +* incrementing version number - v2.4.3 (9c647c6c) +* update changelog for v2.4.3 (06da15a5) +* incrementing version number - v2.4.2 (3aa7b855) +* incrementing version number - v2.4.1 (60cbd148) +* incrementing version number - v2.4.0 (4834cde3) +* incrementing version number - v2.3.1 (d2425942) +* incrementing version number - v2.3.0 (046ea120) + +##### Bug Fixes + +* missing req, closes #10847 (489fb3a3) + +#### v2.4.3 (2022-08-18) + +##### Chores + +* incrementing version number - v2.4.2 (3aa7b855) +* update changelog for v2.4.2 (ba7a3466) +* incrementing version number - v2.4.1 (60cbd148) +* incrementing version number - v2.4.0 (4834cde3) +* incrementing version number - v2.3.1 (d2425942) +* incrementing version number - v2.3.0 (046ea120) + +##### Bug Fixes + +* #10845, disallow inline viewing of uploaded html files (4dc7fa05) + #### v2.4.2 (2022-08-17) ##### Chores diff --git a/install/package.json b/install/package.json index c8f48b55e8..ca8e6d6359 100644 --- a/install/package.json +++ b/install/package.json @@ -2,7 +2,7 @@ "name": "nodebb", "license": "GPL-3.0", "description": "NodeBB Forum", - "version": "2.4.2", + "version": "2.4.4", "homepage": "http://www.nodebb.org", "repository": { "type": "git", diff --git a/src/api/users.js b/src/api/users.js index aa1ea25687..abc295acfd 100644 --- a/src/api/users.js +++ b/src/api/users.js @@ -305,7 +305,7 @@ async function isPrivilegedOrSelfAndPasswordMatch(caller, data) { async function processDeletion({ uid, method, password, caller }) { const isTargetAdmin = await user.isAdministrator(uid); - const isSelf = parseInt(uid, 10) === caller.uid; + const isSelf = parseInt(uid, 10) === parseInt(caller.uid, 10); const isAdmin = await user.isAdministrator(caller.uid); if (isSelf && meta.config.allowAccountDelete !== 1) { diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js index 7b8af8e885..10b93e2bf5 100644 --- a/src/controllers/authentication.js +++ b/src/controllers/authentication.js @@ -471,7 +471,7 @@ authenticationController.logout = async function (req, res, next) { try { await user.auth.revokeSession(sessionID, uid); - await logoutAsync(); + await logoutAsync(req); await destroyAsync(req); res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get()); diff --git a/src/middleware/index.js b/src/middleware/index.js index d0d3ed346f..96bd3da398 100644 --- a/src/middleware/index.js +++ b/src/middleware/index.js @@ -214,12 +214,13 @@ middleware.buildSkinAsset = helpers.try(async (req, res, next) => { res.status(200).type('text/css').send(css); }); -middleware.trimUploadTimestamps = function trimUploadTimestamps(req, res, next) { - // Check match +middleware.addUploadHeaders = function addUploadHeaders(req, res, next) { + // Trim uploaded files' timestamps when downloading + force download if html let basename = path.basename(req.path); + const extname = path.extname(req.path); if (req.path.startsWith('/uploads/files/') && middleware.regexes.timestampedUpload.test(basename)) { basename = basename.slice(14); - res.header('Content-Disposition', `inline; filename="${basename}"`); + res.header('Content-Disposition', `${extname.startsWith('.htm') ? 'attachment' : 'inline'}; filename="${basename}"`); } next(); diff --git a/src/routes/index.js b/src/routes/index.js index 557380315d..03b5c7fdfb 100644 --- a/src/routes/index.js +++ b/src/routes/index.js @@ -182,7 +182,7 @@ function addCoreRoutes(app, router, middleware, mounts) { } statics.forEach((obj) => { - app.use(relativePath + obj.route, middleware.trimUploadTimestamps, express.static(obj.path, staticOptions)); + app.use(relativePath + obj.route, middleware.addUploadHeaders, express.static(obj.path, staticOptions)); }); app.use(`${relativePath}/uploads`, (req, res) => { res.redirect(`${relativePath}/assets/uploads${req.path}?${meta.config['cache-buster']}`);