[SECURITY-195] - Throw the MalformedURLException if the request inclu…

…des the relative addressing

core/src/main/java/hudson/model/Slave.java

@@ -323,6 +323,13 @@ private URLConnection connect() throws IOException {
         public URL getURL() throws MalformedURLException {
             String name = fileName;
             if (name.equals("hudson-cli.jar"))  name="jenkins-cli.jar";
+
+            // Prevent the sandbox escaping (SECURITY-195)
+            if (name.contains("..")) {
+                throw new MalformedURLException("The specified file path " + fileName + " contains '..'. "
+                        + "The path is not allowed due to security reasons");
+            }
+
             URL res = Jenkins.getInstance().servletContext.getResource("/WEB-INF/" + name);
             if(res==null) {
                 // during the development this path doesn't have the files.