Bukkit

Improve verification of downloaded files.

Any file could be downloaded as long as the webserver claimed they were images. This can allow a compromised or malicious server to serve any kind of data to the requesting server, including executable code.

The risk for this being exploited is very minimal, the downloaded files can't be executed or used for anything malicious without either another exploit or additional actions by a malicious, compromised or non-suspecting user.

Nevertheless, this update adds an additional verification layer making sure the downloaded file is a valid image file.

As a general rule of thumb you should

• always use a secure connection to download files (https)
• only give trusted and properly secured users access to the download functionality
• only download from trusted sites
• preferably upload the images manually