Class URLDeserializationHelper


  • public class URLDeserializationHelper
    extends Object
    SECURITY-637, this helper wraps the URL into a "safe" version if the url has a non-empty host and the JVM configuration is standard. Essentially the wrap does not provide the same logic for URLStreamHandler.hashCode(URL) and URLStreamHandler.equals(URL, URL) but a version that use directly the String representation instead of requesting the DNS to have name equivalence.
    Since:
    3.25
    • Constructor Detail

      • URLDeserializationHelper

        public URLDeserializationHelper()
    • Method Detail

      • wrapIfRequired

        @NonNull
        public static URL wrapIfRequired​(@NonNull
                                         URL url)
                                  throws IOException
        Wraps the given URL into a "safe" version against deserialization attack if the url has a non-empty host and the JVM configuration is standard.
        Throws:
        IOException