fix(uploads): ugly filenames on uploaded asset downloading

During regular processing, a timestamp is prepended to the filename
for any uploaded files. We don't want this to be part of the filename
if an end-user elects to download the file.

This commit adds a middleware to strip out that portion of the
basename and adds the appropriate Content-Disposition header for
files in /uploads/files

Fixes #6953

src/middleware/index.js

@@ -28,6 +28,10 @@ var delayCache = LRU({
 
 var middleware = module.exports;
 
+middleware.regexes = {
+	timestampedUpload: /^\d+-.+$/,
+};
+
 middleware.applyCSRF = csrf();
 
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
@@ -218,3 +222,14 @@ middleware.buildSkinAsset = function (req, res, next) {
 		setImmediate(next);
 	}
 };
+
+middleware.trimUploadTimestamps = (req, res, next) => {
+	// Check match
+	let basename = path.basename(req.path);
+	if (req.path.startsWith('/uploads/files/') && middleware.regexes.timestampedUpload.test(basename)) {
+		basename = basename.slice(14);
+		res.header('Content-Disposition', 'inline; filename="' + basename + '"');
+	}
+
+	return next();
+};

src/routes/index.js

@@ -159,7 +159,7 @@ module.exports = function (app, middleware, callback) {
 	});
 
 	statics.forEach(function (obj) {
-		app.use(relativePath + obj.route, express.static(obj.path, staticOptions));
+		app.use(relativePath + obj.route, middleware.trimUploadTimestamps, express.static(obj.path, staticOptions));
 	});
 	app.use(relativePath + '/uploads', function (req, res) {
 		res.redirect(relativePath + '/assets/uploads' + req.path + '?' + meta.config['cache-buster']);