Ensure that PHP doesn't override response code

If we don't pass the response status code to the function `header()` PHP
might silently change the response code, which is not really nice since
it should be up for the developers to define how they design the
application.

This silent change usually happens when one uses "Location" with a
status code that's not 201 or 3xx, and some people already discussed a
lot and essencially they've said that PHP will not modify its behaviour
regarding this because it allows high level code to modify (fix) this.

References:

- https://bugs.php.net/bug.php?id=70273
- https://bugs.php.net/bug.php?id=51749
- https://bugs.php.net/bug.php?id=74535

Author: lcobucci

src/Response/SapiEmitterTrait.php

@@ -43,12 +43,14 @@ private function assertNoPreviousOutput()
     private function emitStatusLine(ResponseInterface $response)
     {
         $reasonPhrase = $response->getReasonPhrase();
+        $statusCode   = $response->getStatusCode();
+
         header(sprintf(
             'HTTP/%s %d%s',
             $response->getProtocolVersion(),
-            $response->getStatusCode(),
+            $statusCode,
             ($reasonPhrase ? ' ' . $reasonPhrase : '')
-        ));
+        ), true, $statusCode);
     }
 
     /**
@@ -63,6 +65,8 @@ private function emitStatusLine(ResponseInterface $response)
      */
     private function emitHeaders(ResponseInterface $response)
     {
+        $statusCode = $response->getStatusCode();
+
         foreach ($response->getHeaders() as $header => $values) {
             $name  = $this->filterHeader($header);
             $first = $name === 'Set-Cookie' ? false : true;
@@ -71,7 +75,7 @@ private function emitHeaders(ResponseInterface $response)
                     '%s: %s',
                     $name,
                     $value
-                ), $first);
+                ), $first, $statusCode);
                 $first = false;
             }
         }

test/Response/AbstractEmitterTest.php

@@ -66,9 +66,27 @@ public function testMultipleSetCookieHeadersAreNotReplaced()
         $this->emitter->emit($response);
 
         $expectedStack = [
-            ['header' => 'HTTP/1.1 200 OK', 'replace' => true, 'status_code' => null],
-            ['header' => 'Set-Cookie: foo=bar', 'replace' => false, 'status_code' => null],
-            ['header' => 'Set-Cookie: bar=baz', 'replace' => false, 'status_code' => null],
+            ['header' => 'HTTP/1.1 200 OK', 'replace' => true, 'status_code' => 200],
+            ['header' => 'Set-Cookie: foo=bar', 'replace' => false, 'status_code' => 200],
+            ['header' => 'Set-Cookie: bar=baz', 'replace' => false, 'status_code' => 200],
+        ];
+
+        $this->assertSame($expectedStack, HeaderStack::stack());
+    }
+
+    public function testDoesNotLetResponseCodeBeOverriddenByPHP()
+    {
+        $response = (new Response())
+            ->withStatus(202)
+            ->withAddedHeader('Location', 'http://api.my-service.com/12345678')
+            ->withAddedHeader('Content-Type', 'text/plain');
+
+        $this->emitter->emit($response);
+
+        $expectedStack = [
+            ['header' => 'HTTP/1.1 202 Accepted', 'replace' => true, 'status_code' => 202],
+            ['header' => 'Location: http://api.my-service.com/12345678', 'replace' => true, 'status_code' => 202],
+            ['header' => 'Content-Type: text/plain', 'replace' => true, 'status_code' => 202],
         ];
 
         $this->assertSame($expectedStack, HeaderStack::stack());