SEC-2221: Fix the ignored media types to use includes instead of equals

web/src/main/java/org/springframework/security/web/util/MediaTypeRequestMatcher.java

@@ -176,7 +176,7 @@ public final class MediaTypeRequestMatcher implements RequestMatcher {
             return false;
         }
         for(MediaType httpRequestMediaType : httpRequestMediaTypes) {
-            if(ignoredMediaTypes.contains(httpRequestMediaType)) {
+            if(shouldIgnore(httpRequestMediaType)) {
                 continue;
             }
             if(useEquals) {
@@ -191,6 +191,15 @@ public final class MediaTypeRequestMatcher implements RequestMatcher {
         return false;
     }
 
+    private boolean shouldIgnore(MediaType httpRequestMediaType) {
+        for(MediaType ignoredMediaType : ignoredMediaTypes) {
+            if(httpRequestMediaType.includes(ignoredMediaType)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     /**
      * If set to true, matches on exact {@link MediaType}, else uses
      * {@link MediaType#isCompatibleWith(MediaType)}.

web/src/test/java/org/springframework/security/web/util/MediaTypeRequestMatcherTests.java

@@ -183,4 +183,13 @@ public class MediaTypeRequestMatcherTests {
 
         assertThat(matcher.matches(request)).isTrue();
     }
+
+    @Test
+    public void mediaAllQ08AndTextPlainIgnoreMediaTypeAll() throws HttpMediaTypeNotAcceptableException {
+        when(negotiationStrategy.resolveMediaTypes(any(NativeWebRequest.class))).thenReturn(Arrays.asList(MediaType.TEXT_PLAIN,MediaType.parseMediaType("*/*;q=0.8")));
+        matcher = new MediaTypeRequestMatcher(negotiationStrategy, MediaType.TEXT_HTML);
+        matcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
+
+        assertThat(matcher.matches(request)).isFalse();
+    }
 }