Recently I had some problem with Drupal 4.7 (4.7.3... but maybe 4.7.2 also) downloading files attached to a page, when using the private download method. Shortly: I.E. downloaded files as.. test, showing http headers (content-type, content-disposition, etc.) followed by file content; Firefox asked to save the file - but the result was the same (a sort of text file including http headers in top of it!).
I had this problem with the same provider (aruba.it) but in two different environments (Linux/apache and Windows hosting). I know other people had similar problem:
http://drupal.org/node/71434
http://drupal.org/node/65593
...
So I started looking around the code, and I found that the "updload_file_download" procedure, in the upload.module, seem returning an empty line before the 3 legal headers. I (still) don't really know why. Then I looked into includes/file.inc and I found that the "file_transfer" function, where is code to remove lines not followed by space or tab. So I added one single line of code, to also avoid outputting of empty lines - I suppose that this empty line cause injection of http headers!
So I modified the file_transter function in file.inc, adding if ($header != '') before outputting headers:
-------------
foreach ($headers as $header) {
// To prevent HTTP header injection, we delete new lines that are
// not followed by a space or a tab.