Claus Ibsen created CAMEL-23747:
-----------------------------------
Summary: camel-mail - useHeader* options should default to false
for secure-by-default
Key: CAMEL-23747
URL: https://issues.apache.org/jira/browse/CAMEL-23747
Project: Camel
Issue Type: Improvement
Reporter: Claus Ibsen
The new useHeaderRecipients, useHeaderFrom, useHeaderReplyTo, and
useHeaderSubject options added in CAMEL-23520 currently default to true
(backward compatible). They should default to false (secure by default) to
prevent untrusted exchange headers from overriding endpoint URI mail
configuration.
h3. Rationale
1. *Security model alignment* - The security model states "All of the above
hold with zero security configuration", meaning the framework should not
require operator action to be safe. With default=true, an HTTP consumer chained
into smtp:// lets an attacker redirect emails by injecting
To/From/Subject/Reply-To headers.
2. *Precedent in the same component* - CAMEL-23522 added
useJavaMailSessionPropertiesFromHeaders with default=false (opt-in). Its commit
message explicitly calls it "the same conceptual pattern as the Camel* header
injection family (CVE-2025-27636)." The useHeader* options are the same pattern
and should follow the same default.
3. *Camel security policy* - The design/security.adoc states: "New defaults err
toward denied unless opted in." Defaulting to true is the opposite.
Routes that explicitly set headers via .setHeader("To", ...) are route-author
code and can add useHeaderRecipients=true to the endpoint URI. Routes where
headers flow through from an untrusted upstream become secure by default.
This change requires an upgrade guide entry documenting the new defaults and
the one-line migration (add useHeaderRecipients=true etc. to the endpoint URI).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
