From 4f408b8f5cbb6ae4ae50f7f304f982c4770b361e Mon Sep 17 00:00:00 2001
From: aydreeihn <adriane@enhancesoft.com>
Date: Tue, 15 Aug 2017 11:18:30 -0500
Subject: [PATCH] Exclude Vulnerable Image Files

Extend this to exclude image files that are injectable from opening in browser windows.
---
 include/class.http.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/class.http.php b/include/class.http.php
index daafa21e7..632a80b03 100644
--- a/include/class.http.php
+++ b/include/class.http.php
@@ -106,7 +106,7 @@ class Http {
     }
 
     function download($filename, $type, $data=null, $disposition='attachment') {
-        if (strpos($type, 'image/') !== 0)
+        if (strpos($type, 'image/') !== 0 || preg_match('/image\/.*\+.*/', $type))
           $disposition='attachment';
 
         header('Pragma: private');
-- 
GitLab