Any file could be downloaded as long as the webserver claimed they were
images. This can allow a compromised or malicious server to serve any
kind of data to the requesting server, including executable code.
The risk for this being exploited is very minimal, the downloaded files
can't be executed or used for anything malicious without either another
exploit or additional actions by a malicious, compromised or
non-suspecting user.
Nethertheless, this update adds an additional verification layer making
sure the downloaded file is a valid image file. It additionally stores
the image as PNG on disk, regardless of the filetype of the download,
stripping the file of potential "baggage" as you might find in polyglot
files.
As a general rule of thumb you should
* always use a secure connection to download files (https)
* only give trusted and properly secured users access to the download
functionality
* only download from trusted sites
* preferably upload the images manually
