Restrict MIME type for file downloads

Until now, file_download.php was sending attachments content with a MIME
type determined by PHP's Fileinfo 1. This creates a risk of JavaScript
execution bypassing the Content Security Policy.

We now only set the Content-Type header for known safe types (e.g. PDF
and images), all text types are forced to text/plain and the rest is
sent as application/octet-stream.

Includes corrections following review by vboctor.

Fixes 0037016, GHSA-9c3j-xm6v-j7j3 / CVE-2026-40597