diff options
| author | Fabian Lange <lange.fabian@gmail.com> | 2013-06-13 15:11:39 +0200 |
|---|---|---|
| committer | Vaadin Code Review <review@vaadin.com> | 2013-07-10 06:07:31 +0000 |
| commit | e4011c6fa4d7a00b718551885339854ceacc0cf0 (patch) | |
| tree | b60440af899c91e2b55d12898386f0c05d971de7 /server | |
| parent | 6a4bbe52c399c58d43d7f81f322fe8b090df6921 (diff) | |
| download | vaadin-framework-e4011c6fa4d7a00b718551885339854ceacc0cf0.tar.gz vaadin-framework-e4011c6fa4d7a00b718551885339854ceacc0cf0.zip | |
When InputStream cannot be opened while writing static resource response, display 404 instead of 500 (#10920)
A security audit revealed that it is possible to trigger an error 500 with
stack trace by just trying a directory traversal. An example of this can be
found in the sampler: http://demo.vaadin.com/sampler/VAADIN/widgetsets/
While there are other scenarios that can produce exceptions, in this place
Vaadin can handle it more graceful by just catching the exception and
returning 404.
Change-Id: Iec68d81d3bca365ec133737a9cd3e3b825d192b2
Diffstat (limited to 'server')
| -rw-r--r-- | server/src/com/vaadin/server/VaadinServlet.java | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java index 94601d6599..803a903341 100644 --- a/server/src/com/vaadin/server/VaadinServlet.java +++ b/server/src/com/vaadin/server/VaadinServlet.java @@ -16,6 +16,7 @@ package com.vaadin.server; import java.io.BufferedWriter; +import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; @@ -645,19 +646,19 @@ public class VaadinServlet extends HttpServlet implements Constants { "Failed to find out last modified timestamp. Continuing without it.", e); } finally { - if (connection instanceof URLConnection) { - try { - // Explicitly close the input stream to prevent it - // from remaining hanging - // http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4257700 - InputStream is = connection.getInputStream(); - if (is != null) { - is.close(); - } - } catch (IOException e) { - getLogger().log(Level.INFO, - "Error closing URLConnection input stream", e); + try { + // Explicitly close the input stream to prevent it + // from remaining hanging + // http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4257700 + InputStream is = connection.getInputStream(); + if (is != null) { + is.close(); } + } catch (FileNotFoundException e) { + // Not logging when the file does not exist. + } catch (IOException e) { + getLogger().log(Level.INFO, + "Error closing URLConnection input stream", e); } } @@ -720,14 +721,17 @@ public class VaadinServlet extends HttpServlet implements Constants { // prevent it from hanging, but that is done below. } - InputStream is = connection.getInputStream(); + InputStream is = null; try { + is = connection.getInputStream(); final OutputStream os = response.getOutputStream(); final byte buffer[] = new byte[DEFAULT_BUFFER_SIZE]; int bytes; while ((bytes = is.read(buffer)) >= 0) { os.write(buffer, 0, bytes); } + } catch (FileNotFoundException e) { + response.setStatus(HttpServletResponse.SC_NOT_FOUND); } finally { if (is != null) { is.close(); |