Commit c4579277 introduced an extra administrative security feature to
restrict files access to signed in users only, even  if a user has a valid
& signed download URL. The feature, however, did not take into account
public images & files associated with FAQs and pages such as
landing/thank-you pages.

This commit addresses the shortcoming by adding a reference ID (attachment ID)
to the download/access URL, that can be used to deduce the model/object type
that the file request is associated with. The technique will allow us in the
future to enforce ACL at the file level depending on privacy settings and
the security clearance of the user (agent).

This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.

This feature adds a setting to the control panel to require signing in to
view attachments. This is in addition to the security already provided in
the download URLs. Currently, download URLs are signed for a specific help
desk, and automatically expire after about 24 hours. The exact timing is the
following midnight allowing for at least 12 hours cache time.

Administrators can impose this extra security feature to refuse serving
attachment files if the user is not currently signed in. This could prevent
third-party users from viewing an attachment if they were able to get access
to the download URL before it expired.

This script adds a single download script, 'file.php', which provides access
to files of all types to all users. It uses a HMAC signature system with an
expires time, which allows signed URLs to be sent to external users.

This also fixes an issue with the Http::cacheable() method, where the
last-modified and Etag headers were not properly compared, which resulted in
permanent cache misses by the client.