Don't add Accept-Range header on unsafe HTTP requests

src/Symfony/Component/HttpFoundation/BinaryFileResponse.php

@@ -169,7 +169,11 @@ public function setContentDisposition($disposition, $filename = '', $filenameFal
     public function prepare(Request $request)
     {
         $this->headers->set('Content-Length', $this->file->getSize());
-        $this->headers->set('Accept-Ranges', 'bytes');
+
+        if (!$this->headers->has('Accept-Ranges')) {
+            // Only accept ranges on safe HTTP methods
+            $this->headers->set('Accept-Ranges', $request->isMethodSafe() ? 'bytes' : 'none');
+        }
 
         if (!$this->headers->has('Content-Type')) {
             $this->headers->set('Content-Type', $this->file->getMimeType() ?: 'application/octet-stream');

src/Symfony/Component/HttpFoundation/Tests/BinaryFileResponseTest.php

@@ -200,6 +200,25 @@ public function testSplFileObject()
         $this->assertEquals(realpath($response->getFile()->getPathname()), realpath($filePath));
     }
 
+    public function testAcceptRangeOnUnsafeMethods()
+    {
+        $request = Request::create('/', 'POST');
+        $response = BinaryFileResponse::create(__DIR__.'/File/Fixtures/test.gif');
+        $response->prepare($request);
+
+        $this->assertEquals('none', $response->headers->get('Accept-Ranges'));
+    }
+
+    public function testAcceptRangeNotOverriden()
+    {
+        $request = Request::create('/', 'POST');
+        $response = BinaryFileResponse::create(__DIR__.'/File/Fixtures/test.gif');
+        $response->headers->set('Accept-Ranges', 'foo');
+        $response->prepare($request);
+
+        $this->assertEquals('foo', $response->headers->get('Accept-Ranges'));
+    }
+
     public function getSampleXAccelMappings()
     {
         return array(