It's possible to bypass protection if both Content-Disposition: attachment and Content-Type: multipart are present
vulners.com/securityvulns/securityvulns:doc:28229