Improved the security of wfStreamFile():
* Use the file extension to determine Content-Type, don't look for magic numbers. This makes the attack surface similar to ordinary web server downloads, and avoids problems when MIME type is not checked on upload.
* Use the same restrictions for Content-Type when streaming as for uploading. This closes any vulnerabilities caused by a change to a more secure configuration, post-upload.
* Don't stream out the file after headers are unexpectedly sent (e.g. due to display_errors). The Content-Type will typically be fixed to text/html in this case and so we need to be careful what we send.