hudson.remoting.URLDeserializationHelper

public class URLDeserializationHelper extends Object

SECURITY-637, this helper wraps the URL into a "safe" version if the url has a non-empty host and the JVM configuration is standard. Essentially the wrap does not provide the same logic for URLStreamHandler.hashCode(URL) and URLStreamHandler.equals(URL, URL) but a version that use directly the String representation instead of requesting the DNS to have name equivalence.

Since:: 3.25

Constructor Summary

Constructors

Constructor

Description

URLDeserializationHelper()
Method Summary

Modifier and Type

Method

Description

static URL

wrapIfRequired(URL url)

Wraps the given URL into a "safe" version against deserialization attack if the url has a non-empty host and the JVM configuration is standard.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- URLDeserializationHelper
  
  public URLDeserializationHelper()
Method Details
- wrapIfRequired
  
  @NonNull public static URL wrapIfRequired(@NonNull URL url) throws IOException
  
  Wraps the given URL into a "safe" version against deserialization attack if the url has a non-empty host and the JVM configuration is standard.
  
  Throws:
  
  IOException

Class URLDeserializationHelper

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Details

URLDeserializationHelper

Method Details

wrapIfRequired