Security researcher Ilja van Sprundel of IOActive
reported that the Content-Disposition: attachment
HTTP
header was ignored when Content-Type: multipart
was also
present. This issue could potentially lead to XSS problems in sites
that allow users to upload arbitrary files and specify a Content-Type
but rely on Content-Disposition: attachment
to prevent
the content from being displayed inline.