From ec048a01ba9f2dbc17064427bdcafd88e7271c88 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 17 Aug 2022 15:32:36 -0400
Subject: [PATCH 1/6] fix: #10841, incorrect conditional in email interstitial
partial
---
src/views/partials/email_update.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/views/partials/email_update.tpl b/src/views/partials/email_update.tpl
index bdf70d6ac0..5e2d77f183 100644
--- a/src/views/partials/email_update.tpl
+++ b/src/views/partials/email_update.tpl
@@ -11,7 +11,7 @@
<p class="help-block">[[user:emailUpdate.change-instructions]]</p>
</div>
- {{{ if update }}}
+ {{{ if issuePasswordChallenge }}}
<div class="form-group">
<label for="password">[[register:password]]</label>
<input class="form-control" type="password" id="password" name="password" />
From 1635633acddb3588f71f541072a2b623e89587b1 Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Wed, 17 Aug 2022 21:12:34 +0000
Subject: [PATCH 2/6] chore: incrementing version number - v2.4.2
---
install/package.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/package.json b/install/package.json
index c7248c007b..8f265b746c 100644
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
"name": "nodebb",
"license": "GPL-3.0",
"description": "NodeBB Forum",
- "version": "2.4.1",
+ "version": "2.4.2",
"homepage": "http://www.nodebb.org",
"repository": {
"type": "git",
From ba7a3466b26fa81d99878fba1e7b0754bf2d11a6 Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Wed, 17 Aug 2022 21:12:35 +0000
Subject: [PATCH 3/6] chore: update changelog for v2.4.2
---
CHANGELOG.md | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 636fe4278b..f9df59dc5b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,26 @@
+#### v2.4.2 (2022-08-17)
+
+##### Chores
+
+* incrementing version number - v2.4.1 (60cbd148)
+* update changelog for v2.4.1 (4b6baabb)
+* incrementing version number - v2.4.0 (4834cde3)
+* incrementing version number - v2.3.1 (d2425942)
+* incrementing version number - v2.3.0 (046ea120)
+
+##### Documentation Changes
+
+* explain what export routes actually do in OpenAPI documentation (#10836) (72e7b9f7)
+
+##### Bug Fixes
+
+* #10841, incorrect conditional in email interstitial partial (ec048a01)
+* don't crash if post is undefined (4a3e36a7)
+
+##### Tests
+
+* passport0.6 (#10638) (6b2a6f90)
+
#### v2.4.1 (2022-08-14)
##### Chores
From 4dc7fa050f1f30888b5bd71622b68537cc032b44 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 17 Aug 2022 21:48:02 -0400
Subject: [PATCH 4/6] fix: #10845, disallow inline viewing of uploaded html
files
---
src/middleware/index.js | 7 ++++---
src/routes/index.js | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/middleware/index.js b/src/middleware/index.js
index d0d3ed346f..96bd3da398 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -214,12 +214,13 @@ middleware.buildSkinAsset = helpers.try(async (req, res, next) => {
res.status(200).type('text/css').send(css);
});
-middleware.trimUploadTimestamps = function trimUploadTimestamps(req, res, next) {
- // Check match
+middleware.addUploadHeaders = function addUploadHeaders(req, res, next) {
+ // Trim uploaded files' timestamps when downloading + force download if html
let basename = path.basename(req.path);
+ const extname = path.extname(req.path);
if (req.path.startsWith('/uploads/files/') && middleware.regexes.timestampedUpload.test(basename)) {
basename = basename.slice(14);
- res.header('Content-Disposition', `inline; filename="${basename}"`);
+ res.header('Content-Disposition', `${extname.startsWith('.htm') ? 'attachment' : 'inline'}; filename="${basename}"`);
}
next();
diff --git a/src/routes/index.js b/src/routes/index.js
index 557380315d..03b5c7fdfb 100644
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -182,7 +182,7 @@ function addCoreRoutes(app, router, middleware, mounts) {
}
statics.forEach((obj) => {
- app.use(relativePath + obj.route, middleware.trimUploadTimestamps, express.static(obj.path, staticOptions));
+ app.use(relativePath + obj.route, middleware.addUploadHeaders, express.static(obj.path, staticOptions));
});
app.use(`${relativePath}/uploads`, (req, res) => {
res.redirect(`${relativePath}/assets/uploads${req.path}?${meta.config['cache-buster']}`);
From be0256b26e7bff9dba1c744b3b04e796f5bedb2f Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Thu, 18 Aug 2022 02:33:19 +0000
Subject: [PATCH 5/6] chore: incrementing version number - v2.4.3
---
install/package.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/package.json b/install/package.json
index 8f265b746c..f49aebd84f 100644
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
"name": "nodebb",
"license": "GPL-3.0",
"description": "NodeBB Forum",
- "version": "2.4.2",
+ "version": "2.4.3",
"homepage": "http://www.nodebb.org",
"repository": {
"type": "git",
From 06da15a5766b7923eda1725ee60e4316f05f43ff Mon Sep 17 00:00:00 2001
From: Misty Release Bot <deploy@nodebb.org>
Date: Thu, 18 Aug 2022 02:33:19 +0000
Subject: [PATCH 6/6] chore: update changelog for v2.4.3
---
CHANGELOG.md | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9df59dc5b..e3038ff6dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,18 @@
+#### v2.4.3 (2022-08-18)
+
+##### Chores
+
+* incrementing version number - v2.4.2 (3aa7b855)
+* update changelog for v2.4.2 (ba7a3466)
+* incrementing version number - v2.4.1 (60cbd148)
+* incrementing version number - v2.4.0 (4834cde3)
+* incrementing version number - v2.3.1 (d2425942)
+* incrementing version number - v2.3.0 (046ea120)
+
+##### Bug Fixes
+
+* #10845, disallow inline viewing of uploaded html files (4dc7fa05)
+
#### v2.4.2 (2022-08-17)
##### Chores