Merge remote-tracking branch 'aa/issue/attachment_downloads' into features_prs/develop-next

* aa/issue/attachment_downloads:
  Exclude Vulnerable Image Files
  Only allow image attachments to be opened in the browser window

include/class.http.php

@@ -106,6 +106,9 @@ class Http {
     }
 
     function download($filename, $type, $data=null, $disposition='attachment') {
+        if (strpos($type, 'image/') !== 0 || preg_match('/image\/.*\+.*/', $type))
+          $disposition='attachment';
+
         header('Pragma: private');
         header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
         header('Cache-Control: private', false);