|
|
|
|
|
|
by lgats
1671 days ago
|
|
|
using "filename" within the "Content-Disposition" header, you could theoretically trick a user into downloading a non-image file despite the url containing lisa.jpg I think certain browsers have security limits on the file-extensions you download, which may include when image->"save as" is used. |
|
|
Combine that with something like Safari's insistence at automatically exploding zipfiles on download, and you got yourself a party.