download/file.php uses $_GET value instead of function request_var()

The code in download/file.php

$filename = $_GET['avatar'];

should be adjusted to use function request_var() to get $filename value.
Direct use of $_GET is known as insecure option.