From: Anna Koskinen <Ansku@users.noreply.github.com>
Date: Tue, 15 Jun 2021 13:28:13 +0000 (+0300)
Subject: fix: add JavaDoc warning to avoid using ResponseWriter for directories (#12324)
X-Git-Tag: 8.14.0.alpha1~21
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=ba02350206ef25f6c29618f3cf7458f43543f3e8;p=vaadin-framework.git

fix: add JavaDoc warning to avoid using ResponseWriter for directories (#12324)

* fix: add JavaDoc warning to avoid using ResponseWriter for directories

Cherry-picked from: https://github.com/vaadin/flow/pull/11112
---

diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java
index fc8aaeaac2..58320ecb0a 100644
--- a/server/src/main/java/com/vaadin/server/VaadinServlet.java
+++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java
@@ -943,6 +943,13 @@ public class VaadinServlet extends HttpServlet implements Constants {
     /**
      * Writes the contents of the given resourceUrl in the response. Can be
      * overridden to add/modify response headers and similar.
+     * <p>
+     * WARNING: note that this should not be used for a {@code resourceUrl} that
+     * represents a directory! For security reasons, the directory contents
+     * should not be ever written into the {@code response}, and the
+     * implementation which is used for setting the content length relies on
+     * {@link URLConnection#getContentLength()} method which returns incorrect
+     * values for directories.
      *
      * @param request
      *            The request for the resource