Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments