From 6aca44ac75aaa57cdc17ff2a90c1b9a6ba5f33e1 Mon Sep 17 00:00:00 2001
From: or-else <or.else@gmail.com>
Date: Mon, 15 Jan 2024 15:34:46 -0800
Subject: [PATCH] more cases of forced attachment downloads (vs inline)

---
 server/hdl_files.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/server/hdl_files.go b/server/hdl_files.go
index 514c2f57f..de296fe01 100644
--- a/server/hdl_files.go
+++ b/server/hdl_files.go
@@ -136,7 +136,11 @@ func largeFileServe(wrt http.ResponseWriter, req *http.Request) {
 	wrt.Header().Set("Content-Type", fd.MimeType)
 	asAttachment, _ := strconv.ParseBool(req.URL.Query().Get("asatt"))
 	// Force download for html files as a security measure.
-	asAttachment = asAttachment || strings.Contains(fd.MimeType, "html")
+	asAttachment = asAttachment ||
+		strings.Contains(fd.MimeType, "html") ||
+		strings.Contains(fd.MimeType, "xml") ||
+		strings.HasPrefix(fd.MimeType, "application/") ||
+		strings.HasPrefix(fd.MimeType, "text/")
 	if asAttachment {
 		wrt.Header().Set("Content-Disposition", "attachment")
 	}
@@ -274,7 +278,7 @@ func largeFileReceive(wrt http.ResponseWriter, req *http.Request) {
 	// If DetectContentType fails, use client-provided content type.
 	if mimeType == "application/octet-stream" {
 		if contentType := header.Header.Get("Content-Type"); contentType != "" {
-			mimeType = contentType
+			mimeType = strings.ToLower(contentType)
 		}
 	}