hudson.remoting

Class URLDeserializationHelper

java.lang.Object

hudson.remoting.URLDeserializationHelper

public class URLDeserializationHelper
extends Object

SECURITY-637, this helper wraps the URL into a "safe" version if the url has a non-empty host and the JVM configuration is standard. Essentially the wrap does not provide the same logic for URLStreamHandler.hashCode(URL) and URLStreamHandler.equals(URL, URL) but a version that use directly the String representation instead of requesting the DNS to have name equivalence.

Since:

3.25

Constructor Summary

Constructors

Constructor and Description
URLDeserializationHelper()

Method Summary

Modifier and Type	Method and Description
static URL	wrapIfRequired(URL url) Wraps the given URL into a "safe" version against deserialization attack if the url has a non-empty host and the JVM configuration is standard.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

URLDeserializationHelper

public URLDeserializationHelper()

Method Detail

wrapIfRequired

@Nonnull
public static URL wrapIfRequired(@Nonnull
                                          URL url)
                                   throws IOException

Wraps the given URL into a "safe" version against deserialization attack if the url has a non-empty host and the JVM configuration is standard.

Throws:

IOException