From e4011c6fa4d7a00b718551885339854ceacc0cf0 Mon Sep 17 00:00:00 2001
From: Fabian Lange <lange.fabian@gmail.com>
Date: Thu, 13 Jun 2013 15:11:39 +0200
Subject: [PATCH] When InputStream cannot be opened while writing static
 resource response, display 404 instead of 500 (#10920)

A security audit revealed that it is possible to trigger an error 500 with
stack trace by just trying a directory traversal. An example of this can be
found in the sampler: http://demo.vaadin.com/sampler/VAADIN/widgetsets/
While there are other scenarios that can produce exceptions, in this place
Vaadin can handle it more graceful by just catching the exception and
returning 404.

Change-Id: Iec68d81d3bca365ec133737a9cd3e3b825d192b2
---
 .../src/com/vaadin/server/VaadinServlet.java  | 30 +++++++++++--------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java
index 94601d6599..803a903341 100644
--- a/server/src/com/vaadin/server/VaadinServlet.java
+++ b/server/src/com/vaadin/server/VaadinServlet.java
@@ -16,6 +16,7 @@
 package com.vaadin.server;
 
 import java.io.BufferedWriter;
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -645,19 +646,19 @@ public class VaadinServlet extends HttpServlet implements Constants {
                             "Failed to find out last modified timestamp. Continuing without it.",
                             e);
         } finally {
-            if (connection instanceof URLConnection) {
-                try {
-                    // Explicitly close the input stream to prevent it
-                    // from remaining hanging
-                    // http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4257700
-                    InputStream is = connection.getInputStream();
-                    if (is != null) {
-                        is.close();
-                    }
-                } catch (IOException e) {
-                    getLogger().log(Level.INFO,
-                            "Error closing URLConnection input stream", e);
+            try {
+                // Explicitly close the input stream to prevent it
+                // from remaining hanging
+                // http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4257700
+                InputStream is = connection.getInputStream();
+                if (is != null) {
+                    is.close();
                 }
+            } catch (FileNotFoundException e) {
+                // Not logging when the file does not exist.
+            } catch (IOException e) {
+                getLogger().log(Level.INFO,
+                        "Error closing URLConnection input stream", e);
             }
         }
 
@@ -720,14 +721,17 @@ public class VaadinServlet extends HttpServlet implements Constants {
             // prevent it from hanging, but that is done below.
         }
 
-        InputStream is = connection.getInputStream();
+        InputStream is = null;
         try {
+            is = connection.getInputStream();
             final OutputStream os = response.getOutputStream();
             final byte buffer[] = new byte[DEFAULT_BUFFER_SIZE];
             int bytes;
             while ((bytes = is.read(buffer)) >= 0) {
                 os.write(buffer, 0, bytes);
             }
+        } catch (FileNotFoundException e) {
+            response.setStatus(HttpServletResponse.SC_NOT_FOUND);
         } finally {
             if (is != null) {
                 is.close();
-- 
2.39.5