Merge branch 'aydreeihn/issue/attachment_downloads' into release/v1.10.2

* aydreeihn/issue/attachment_downloads: Exclude Vulnerable Image Files Only allow image attachments to be opened in the browser window

Merge branch 'aydreeihn/issue/attachment_downloads' into release/v1.10.2
* aydreeihn/issue/attachment_downloads: Exclude Vulnerable Image Files Only allow image attachments to be opened in the browser window
4c79ff83 · JediKev · 9dd91835 · 4f408b8f · 4c79ff83
Commit 4c79ff83 authored 7 years ago by JediKev
--- a/include/class.http.php
+++ b/include/class.http.php
@@ -106,6 +106,9 @@ class Http {
    }

    function download($filename, $type, $data=null, $disposition='attachment') {
+        if (strpos($type, 'image/') !== 0 || preg_match('/image\/.*\+.*/', $type))
+          $disposition='attachment';
+
        header('Pragma: private');
        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        header('Cache-Control: private', false);