[jira] [Commented] (CAMEL-21880) camel-kafka - add lowerCase to header filter strategy

Tue, 18 Mar 2025 05:46:38 -0700 


    [ 
https://issues.apache.org/jira/browse/CAMEL-21880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936475#comment-17936475
 ] 

Jens Kordowski commented on CAMEL-21880:
----------------------------------------

I am wondering about the change from being case-insensitive to case-sensitive 
that I outlined above. This was either a desired change, in which case you do 
not want to adapt now at all. Or this was a mistake, in which case changing it 
now corrects the previous mistake (or bug). I could understand this being an 
improvement, if the kafka component was never case-insensitive.

Anyway, however you declare this, I do not care too much tbh. I also don't need 
a 3.x fix for this. I primarily wanted to get your opinion, if that CVE 
requires more header filter strategies to be adapted or not. Why is the CVE 
only relevant for HTTP endpoints? Are other protocols different in the regard 
how Camel headers coming from the outside may influence internal behavior?

> camel-kafka - add lowerCase to header filter strategy
> -----------------------------------------------------
>
>                 Key: CAMEL-21880
>                 URL: https://issues.apache.org/jira/browse/CAMEL-21880
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-kafka
>    Affects Versions: 3.22.3, 4.10.2
>            Reporter: Jens Kordowski
>            Priority: Major
>
> Due to [https://www.cve.org/CVERecord?id=CVE-2025-27636] the following 
> extension has been implemented: 
> https://issues.apache.org/jira/browse/CAMEL-21828
> This has an effect on 
> [https://github.com/apache/camel/blob/main/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHeaderFilterStrategy.java]
>  as it sets lowerCase to true. The same is not true for 
> [https://github.com/apache/camel/blob/main/components/camel-kafka/src/main/java/org/apache/camel/component/kafka/KafkaHeaderFilterStrategy.java]
> Very old implementations of the same 
> ([https://github.com/apache/camel/blob/camel-2.25.4/components/camel-kafka/src/main/java/org/apache/camel/component/kafka/KafkaHeaderFilterStrategy.java])
>  were using patterns, which were explicitly marked case-insensitive and this 
> changed thereafter. Following this recent CVE and the changes, I assume this 
> was not desired, hence I marked it as bug.
>  
> There might be other header filter strategies out there that do not set 
> lowerCase to true.
>  
> Best regards
> Jens



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to