SA-CORE-2025-008 by damienmckenna, tame4tex, benjifisher, mohit_aghera, larowlan, mingsong, xjm, neclimdul, catch, drumm, poker10

Author: xjm

modules/system/src/FileDownloadController.php

@@ -3,6 +3,7 @@
 namespace Drupal\system;
 
 use Drupal\Core\Controller\ControllerBase;
+use Drupal\Core\Site\Settings;
 use Drupal\Core\StreamWrapper\StreamWrapperManagerInterface;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -74,9 +75,24 @@ public function download(Request $request, $scheme = 'private') {
       if (count($headers)) {
         // \Drupal\Core\EventSubscriber\FinishResponseSubscriber::onRespond()
         // sets response as not cacheable if the Cache-Control header is not
-        // already modified. We pass in FALSE for non-private schemes for the
-        // $public parameter to make sure we don't change the headers.
-        return new BinaryFileResponse($uri, 200, $headers, $scheme !== 'private');
+        // already modified. Pass in FALSE for the $public parameter so that
+        // existing headers from hook_file_download() are preserved. If any of
+        // those headers set a Cache-Control header, return the response.
+        $response = new BinaryFileResponse($uri, 200, $headers, FALSE);
+        if ($response->headers->has('Cache-Control')) {
+          return $response;
+        }
+
+        // If there is no Cache-Control header, then respect the
+        // file_additional_public_schemes setting, but never treat the core
+        // 'private' or 'temporary' schemes as cacheable.
+        $additional_public_schemes = array_diff(
+          Settings::get('file_additional_public_schemes', []),
+          ['private', 'temporary'],
+        );
+        return in_array($scheme, $additional_public_schemes, TRUE)
+          ? $response->setPublic()
+          : $response->setPrivate();
       }
 
       throw new AccessDeniedHttpException();