From 1635633acddb3588f71f541072a2b623e89587b1 Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Wed, 17 Aug 2022 21:12:34 +0000
Subject: [PATCH 1/3] chore: incrementing version number - v2.4.2

---
 install/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/package.json b/install/package.json
index c7248c007b..8f265b746c 100644
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
     "name": "nodebb",
     "license": "GPL-3.0",
     "description": "NodeBB Forum",
-    "version": "2.4.1",
+    "version": "2.4.2",
     "homepage": "http://www.nodebb.org",
     "repository": {
         "type": "git",

From ba7a3466b26fa81d99878fba1e7b0754bf2d11a6 Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Wed, 17 Aug 2022 21:12:35 +0000
Subject: [PATCH 2/3] chore: update changelog for v2.4.2

---
 CHANGELOG.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 636fe4278b..f9df59dc5b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,26 @@
+#### v2.4.2 (2022-08-17)
+
+##### Chores
+
+*  incrementing version number - v2.4.1 (60cbd148)
+*  update changelog for v2.4.1 (4b6baabb)
+*  incrementing version number - v2.4.0 (4834cde3)
+*  incrementing version number - v2.3.1 (d2425942)
+*  incrementing version number - v2.3.0 (046ea120)
+
+##### Documentation Changes
+
+*  explain what export routes actually do in OpenAPI documentation (#10836) (72e7b9f7)
+
+##### Bug Fixes
+
+*  #10841, incorrect conditional in email interstitial partial (ec048a01)
+*  don't crash if post is undefined (4a3e36a7)
+
+##### Tests
+
+*  passport0.6 (#10638) (6b2a6f90)
+
 #### v2.4.1 (2022-08-14)
 
 ##### Chores

From 4dc7fa050f1f30888b5bd71622b68537cc032b44 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 17 Aug 2022 21:48:02 -0400
Subject: [PATCH 3/3] fix: #10845, disallow inline viewing of uploaded html
 files

---
 src/middleware/index.js | 7 ++++---
 src/routes/index.js     | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/middleware/index.js b/src/middleware/index.js
index d0d3ed346f..96bd3da398 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -214,12 +214,13 @@ middleware.buildSkinAsset = helpers.try(async (req, res, next) => {
 	res.status(200).type('text/css').send(css);
 });
 
-middleware.trimUploadTimestamps = function trimUploadTimestamps(req, res, next) {
-	// Check match
+middleware.addUploadHeaders = function addUploadHeaders(req, res, next) {
+	// Trim uploaded files' timestamps when downloading + force download if html
 	let basename = path.basename(req.path);
+	const extname = path.extname(req.path);
 	if (req.path.startsWith('/uploads/files/') && middleware.regexes.timestampedUpload.test(basename)) {
 		basename = basename.slice(14);
-		res.header('Content-Disposition', `inline; filename="${basename}"`);
+		res.header('Content-Disposition', `${extname.startsWith('.htm') ? 'attachment' : 'inline'}; filename="${basename}"`);
 	}
 
 	next();
diff --git a/src/routes/index.js b/src/routes/index.js
index 557380315d..03b5c7fdfb 100644
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -182,7 +182,7 @@ function addCoreRoutes(app, router, middleware, mounts) {
 	}
 
 	statics.forEach((obj) => {
-		app.use(relativePath + obj.route, middleware.trimUploadTimestamps, express.static(obj.path, staticOptions));
+		app.use(relativePath + obj.route, middleware.addUploadHeaders, express.static(obj.path, staticOptions));
 	});
 	app.use(`${relativePath}/uploads`, (req, res) => {
 		res.redirect(`${relativePath}/assets/uploads${req.path}?${meta.config['cache-buster']}`);