fix: add JavaDoc warning to avoid using ResponseWriter for directories (#12337)

* fix: add JavaDoc warning to avoid using ResponseWriter for directories

(#12324)

Cherry-picked from: https://github.com/vaadin/flow/pull/11112

diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java
index fc8aaeaac2335c7b7e58975213fb3cc17956bf9d..58320ecb0a9268a4bd4435d35a1110690df2d49d 100644 (file)
--- a/server/src/main/java/com/vaadin/server/VaadinServlet.java
+++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java
@@ -943,6 +943,13 @@ public class VaadinServlet extends HttpServlet implements Constants {
     /**
      * Writes the contents of the given resourceUrl in the response. Can be
      * overridden to add/modify response headers and similar.
+     * <p>
+     * WARNING: note that this should not be used for a {@code resourceUrl} that
+     * represents a directory! For security reasons, the directory contents
+     * should not be ever written into the {@code response}, and the
+     * implementation which is used for setting the content length relies on
+     * {@link URLConnection#getContentLength()} method which returns incorrect
+     * values for directories.
      *
      * @param request
      *            The request for the resource