Merge remote-tracking branch 'origin/master' into develop

CHANGELOG.md

@@ -1,3 +1,34 @@
+#### v2.4.4 (2022-08-18)
+
+##### Chores
+
+*  incrementing version number - v2.4.3 (9c647c6c)
+*  update changelog for v2.4.3 (06da15a5)
+*  incrementing version number - v2.4.2 (3aa7b855)
+*  incrementing version number - v2.4.1 (60cbd148)
+*  incrementing version number - v2.4.0 (4834cde3)
+*  incrementing version number - v2.3.1 (d2425942)
+*  incrementing version number - v2.3.0 (046ea120)
+
+##### Bug Fixes
+
+*  missing req, closes #10847 (489fb3a3)
+
+#### v2.4.3 (2022-08-18)
+
+##### Chores
+
+*  incrementing version number - v2.4.2 (3aa7b855)
+*  update changelog for v2.4.2 (ba7a3466)
+*  incrementing version number - v2.4.1 (60cbd148)
+*  incrementing version number - v2.4.0 (4834cde3)
+*  incrementing version number - v2.3.1 (d2425942)
+*  incrementing version number - v2.3.0 (046ea120)
+
+##### Bug Fixes
+
+*  #10845, disallow inline viewing of uploaded html files (4dc7fa05)
+
 #### v2.4.2 (2022-08-17)
 
 ##### Chores

install/package.json

@@ -2,7 +2,7 @@
     "name": "nodebb",
     "license": "GPL-3.0",
     "description": "NodeBB Forum",
-    "version": "2.4.2",
+    "version": "2.4.4",
     "homepage": "http://www.nodebb.org",
     "repository": {
         "type": "git",

src/api/users.js

@@ -305,7 +305,7 @@ async function isPrivilegedOrSelfAndPasswordMatch(caller, data) {
 
 async function processDeletion({ uid, method, password, caller }) {
 	const isTargetAdmin = await user.isAdministrator(uid);
-	const isSelf = parseInt(uid, 10) === caller.uid;
+	const isSelf = parseInt(uid, 10) === parseInt(caller.uid, 10);
 	const isAdmin = await user.isAdministrator(caller.uid);
 
 	if (isSelf && meta.config.allowAccountDelete !== 1) {

src/controllers/authentication.js

@@ -471,7 +471,7 @@ authenticationController.logout = async function (req, res, next) {
 
 	try {
 		await user.auth.revokeSession(sessionID, uid);
-		await logoutAsync();
+		await logoutAsync(req);
 
 		await destroyAsync(req);
 		res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());

src/middleware/index.js

@@ -214,12 +214,13 @@ middleware.buildSkinAsset = helpers.try(async (req, res, next) => {
 	res.status(200).type('text/css').send(css);
 });
 
-middleware.trimUploadTimestamps = function trimUploadTimestamps(req, res, next) {
-	// Check match
+middleware.addUploadHeaders = function addUploadHeaders(req, res, next) {
+	// Trim uploaded files' timestamps when downloading + force download if html
 	let basename = path.basename(req.path);
+	const extname = path.extname(req.path);
 	if (req.path.startsWith('/uploads/files/') && middleware.regexes.timestampedUpload.test(basename)) {
 		basename = basename.slice(14);
-		res.header('Content-Disposition', `inline; filename="${basename}"`);
+		res.header('Content-Disposition', `${extname.startsWith('.htm') ? 'attachment' : 'inline'}; filename="${basename}"`);
 	}
 
 	next();

src/routes/index.js

@@ -182,7 +182,7 @@ function addCoreRoutes(app, router, middleware, mounts) {
 	}
 
 	statics.forEach((obj) => {
-		app.use(relativePath + obj.route, middleware.trimUploadTimestamps, express.static(obj.path, staticOptions));
+		app.use(relativePath + obj.route, middleware.addUploadHeaders, express.static(obj.path, staticOptions));
 	});
 	app.use(`${relativePath}/uploads`, (req, res) => {
 		res.redirect(`${relativePath}/assets/uploads${req.path}?${meta.config['cache-buster']}`);