Merge branch '4.4' into 5.0

nicolas-grekas · nicolas-grekas · commit 26fb006a2c7b · 2020-03-30T16:14:32.000+02:00
* 4.4:
  [HttpFoundation] Do not set the default Content-Type based on the Accept header
  [Security] Fix access_control behavior with unanimous decision strategy
diff --git a/Request.php b/Request.php
@@ -1561,7 +1561,9 @@ public function isNoCache()
      * Gets the preferred format for the response by inspecting, in the following order:
      *   * the request format set using setRequestFormat
      *   * the values of the Accept HTTP header
-     *   * the content type of the body of the request.
+     *
+     * Note that if you use this method, you should send the "Vary: Accept" header
+     * in the response to prevent any issues with intermediary HTTP caches.
      */
     public function getPreferredFormat(?string $default = 'html'): ?string
     {
diff --git a/Response.php b/Response.php
@@ -266,7 +266,7 @@ public function prepare(Request $request)
         } else {
             // Content-type based on the Request
             if (!$headers->has('Content-Type')) {
-                $format = $request->getPreferredFormat(null);
+                $format = $request->getRequestFormat(null);
                 if (null !== $format && $mimeType = $request->getMimeType($format)) {
                     $headers->set('Content-Type', $mimeType);
                 }
diff --git a/Tests/ResponseTest.php b/Tests/ResponseTest.php
@@ -497,12 +497,25 @@ public function testPrepareDoesNothingIfRequestFormatIsNotDefined()
         $this->assertEquals('text/html; charset=UTF-8', $response->headers->get('content-type'));
     }
 
+    /**
+     * Same URL cannot produce different Content-Type based on the value of the Accept header,
+     * unless explicitly stated in the response object.
+     */
+    public function testPrepareDoesNotSetContentTypeBasedOnRequestAcceptHeader()
+    {
+        $response = new Response('foo');
+        $request = Request::create('/');
+        $request->headers->set('Accept', 'application/json');
+        $response->prepare($request);
+
+        $this->assertSame('text/html; charset=UTF-8', $response->headers->get('content-type'));
+    }
+
     public function testPrepareSetContentType()
     {
         $response = new Response('foo');
         $request = Request::create('/');
         $request->setRequestFormat('json');
-        $request->headers->remove('accept');
 
         $response->prepare($request);
 

Original file line number	Diff line number	Diff line change
`@@ -266,7 +266,7 @@ public function prepare(Request $request)`
`266`	`266`	`} else {`
`267`	`267`	`// Content-type based on the 8000 Request`
`268`	`268`	`if (!$headers->has('Content-Type')) {`
`269`		`- $format = $request->getPreferredFormat(null);`
	`269`	`+ $format = $request->getRequestFormat(null);`
`270`	`270`	`if (null !== $format && $mimeType = $request->getMimeType($format)) {`
`271`	`271`	`$headers->set('Content-Type', $mimeType);`
`272`	`272`	`}`