1 files changed, 18 insertions, 2 deletions

diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index 40bb060d52..0b2b60d2e4 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -10,6 +10,8 @@ module ActionDispatch
         self.ignore_accept_header = false
       end
 
+      attr_reader :variant
+
       # The MIME type of the HTTP request, such as Mime::XML.
       #
       # For backward compatibility, the post \format is extracted from the
@@ -48,7 +50,7 @@ module ActionDispatch
       #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first
       #
       def format(view_path = [])
-        formats.first
+        formats.first || Mime::NullType.instance
       end
 
       def formats
@@ -64,6 +66,20 @@ module ActionDispatch
           end
       end
 
+      # Sets the \variant for template.
+      def variant=(variant)
+        if variant.is_a?(Symbol)
+          @variant = [variant]
+        elsif variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
+          @variant = variant
+        else
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
+            "For security reasons, never directly set the variant to a user-provided value, " \
+            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
+            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+        end
+      end
+
       # Sets the \format by string extension, which can be used to force custom formats
       # that are not controlled by the extension.
       #
@@ -113,7 +129,7 @@ module ActionDispatch
           end
         end
 
-        order.include?(Mime::ALL) ? formats.first : nil
+        order.include?(Mime::ALL) ? format : nil
       end
 
       protected