From 4dc7fa050f1f30888b5bd71622b68537cc032b44 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 17 Aug 2022 21:48:02 -0400
Subject: [PATCH 1/7] fix: #10845, disallow inline viewing of uploaded html
 files

---
 src/middleware/index.js | 7 ++++---
 src/routes/index.js     | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/middleware/index.js b/src/middleware/index.js
index d0d3ed346f..96bd3da398 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -214,12 +214,13 @@ middleware.buildSkinAsset = helpers.try(async (req, res, next) => {
 	res.status(200).type('text/css').send(css);
 });
 
-middleware.trimUploadTimestamps = function trimUploadTimestamps(req, res, next) {
-	// Check match
+middleware.addUploadHeaders = function addUploadHeaders(req, res, next) {
+	// Trim uploaded files' timestamps when downloading + force download if html
 	let basename = path.basename(req.path);
+	const extname = path.extname(req.path);
 	if (req.path.startsWith('/uploads/files/') && middleware.regexes.timestampedUpload.test(basename)) {
 		basename = basename.slice(14);
-		res.header('Content-Disposition', `inline; filename="${basename}"`);
+		res.header('Content-Disposition', `${extname.startsWith('.htm') ? 'attachment' : 'inline'}; filename="${basename}"`);
 	}
 
 	next();
diff --git a/src/routes/index.js b/src/routes/index.js
index 557380315d..03b5c7fdfb 100644
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -182,7 +182,7 @@ function addCoreRoutes(app, router, middleware, mounts) {
 	}
 
 	statics.forEach((obj) => {
-		app.use(relativePath + obj.route, middleware.trimUploadTimestamps, express.static(obj.path, staticOptions));
+		app.use(relativePath + obj.route, middleware.addUploadHeaders, express.static(obj.path, staticOptions));
 	});
 	app.use(`${relativePath}/uploads`, (req, res) => {
 		res.redirect(`${relativePath}/assets/uploads${req.path}?${meta.config['cache-buster']}`);

From be0256b26e7bff9dba1c744b3b04e796f5bedb2f Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Thu, 18 Aug 2022 02:33:19 +0000
Subject: [PATCH 2/7] chore: incrementing version number - v2.4.3

---
 install/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/package.json b/install/package.json
index 8f265b746c..f49aebd84f 100644
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
     "name": "nodebb",
     "license": "GPL-3.0",
     "description": "NodeBB Forum",
-    "version": "2.4.2",
+    "version": "2.4.3",
     "homepage": "http://www.nodebb.org",
     "repository": {
         "type": "git",

From 06da15a5766b7923eda1725ee60e4316f05f43ff Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Thu, 18 Aug 2022 02:33:19 +0000
Subject: [PATCH 3/7] chore: update changelog for v2.4.3

---
 CHANGELOG.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9df59dc5b..e3038ff6dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,18 @@
+#### v2.4.3 (2022-08-18)
+
+##### Chores
+
+*  incrementing version number - v2.4.2 (3aa7b855)
+*  update changelog for v2.4.2 (ba7a3466)
+*  incrementing version number - v2.4.1 (60cbd148)
+*  incrementing version number - v2.4.0 (4834cde3)
+*  incrementing version number - v2.3.1 (d2425942)
+*  incrementing version number - v2.3.0 (046ea120)
+
+##### Bug Fixes
+
+*  #10845, disallow inline viewing of uploaded html files (4dc7fa05)
+
 #### v2.4.2 (2022-08-17)
 
 ##### Chores

From 489fb3a36f1c8bd8c42d82f7799577013a1b9c1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Thu, 18 Aug 2022 09:27:37 -0400
Subject: [PATCH 4/7] fix: missing req, closes #10847

---
 src/controllers/authentication.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js
index 7b8af8e885..10b93e2bf5 100644
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -471,7 +471,7 @@ authenticationController.logout = async function (req, res, next) {
 
 	try {
 		await user.auth.revokeSession(sessionID, uid);
-		await logoutAsync();
+		await logoutAsync(req);
 
 		await destroyAsync(req);
 		res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());

From 24221d66e0eec1ed8dd095ed04ae16784040e7dc Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Thu, 18 Aug 2022 13:45:26 +0000
Subject: [PATCH 5/7] chore: incrementing version number - v2.4.4

---
 install/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/package.json b/install/package.json
index f49aebd84f..0f1d15ae17 100644
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
     "name": "nodebb",
     "license": "GPL-3.0",
     "description": "NodeBB Forum",
-    "version": "2.4.3",
+    "version": "2.4.4",
     "homepage": "http://www.nodebb.org",
     "repository": {
         "type": "git",

From 77e492b8d728912321db7cc2e99277587c61446d Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Thu, 18 Aug 2022 13:45:27 +0000
Subject: [PATCH 6/7] chore: update changelog for v2.4.4

---
 CHANGELOG.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e3038ff6dc..37ac7ed189 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,19 @@
+#### v2.4.4 (2022-08-18)
+
+##### Chores
+
+*  incrementing version number - v2.4.3 (9c647c6c)
+*  update changelog for v2.4.3 (06da15a5)
+*  incrementing version number - v2.4.2 (3aa7b855)
+*  incrementing version number - v2.4.1 (60cbd148)
+*  incrementing version number - v2.4.0 (4834cde3)
+*  incrementing version number - v2.3.1 (d2425942)
+*  incrementing version number - v2.3.0 (046ea120)
+
+##### Bug Fixes
+
+*  missing req, closes #10847 (489fb3a3)
+
 #### v2.4.3 (2022-08-18)
 
 ##### Chores

From bc37a5c51656a20affd8745fa860b5a8bfa023d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Fri, 19 Aug 2022 08:51:04 -0400
Subject: [PATCH 7/7] fix: parseInt caller.uid closes #10849

---
 src/api/users.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api/users.js b/src/api/users.js
index aa1ea25687..abc295acfd 100644
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -305,7 +305,7 @@ async function isPrivilegedOrSelfAndPasswordMatch(caller, data) {
 
 async function processDeletion({ uid, method, password, caller }) {
 	const isTargetAdmin = await user.isAdministrator(uid);
-	const isSelf = parseInt(uid, 10) === caller.uid;
+	const isSelf = parseInt(uid, 10) === parseInt(caller.uid, 10);
 	const isAdmin = await user.isAdministrator(caller.uid);
 
 	if (isSelf && meta.config.allowAccountDelete !== 1) {