Serve all files with a Content-Disposition of 'attachment' via WebDAV

As an additional security hardening it's sensible to serve these files with a Content-Disposition of 'attachment'. Currently they are served 'inline' and get a "secure mimetype" assigned in case of potential dangerous files.

To test this change ensure that:

- [ ] Syncing with the Desktop client still works
- [ ] Syncing with the Android client still works
- [ ] Syncing with the iOS client still works

I verified that the 1.8 OS X and iOS client still work with this change.

lib/private/connector/sabre/filesplugin.php

@@ -24,6 +24,7 @@
 
 namespace OC\Connector\Sabre;
 
+use Sabre\DAV\IFile;
 use \Sabre\DAV\PropFind;
 use \Sabre\DAV\PropPatch;
 use \Sabre\HTTP\RequestInterface;
@@ -52,6 +53,9 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin {
 	 */
 	private $tree;
 
+	/**
+	 * @param \Sabre\DAV\Tree $tree
+	 */
 	public function __construct(\Sabre\DAV\Tree $tree) {
 		$this->tree = $tree;
 	}
@@ -84,6 +88,21 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin {
 		$this->server->on('propPatch', array($this, 'handleUpdateProperties'));
 		$this->server->on('afterBind', array($this, 'sendFileIdHeader'));
 		$this->server->on('afterWriteContent', array($this, 'sendFileIdHeader'));
+		$this->server->on('afterMethod:GET', [$this,'httpGet']);
+	}
+
+	/**
+	 * Plugin that adds a 'Content-Disposition: attachment' header to all files
+	 * delivered by SabreDAV.
+	 * @param RequestInterface $request
+	 * @param ResponseInterface $response
+	 */
+	function httpGet(RequestInterface $request, ResponseInterface $response) {
+		// Only handle valid files
+		$node = $this->tree->getNodeForPath($request->getPath(), 0);
+		if (!($node instanceof IFile)) return;
+
+		$response->addHeader('Content-Disposition', 'attachment');
 	}
 
 	/**