[
https://issues.apache.org/jira/browse/CAMEL-23747?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-23747:
--------------------------------
Description:
The new useHeaderRecipients, useHeaderFrom, useHeaderReplyTo, and
useHeaderSubject options added in CAMEL-23520 currently default to true
(backward compatible). They should default to false (secure by default) to
prevent untrusted exchange headers from overriding endpoint URI mail
configuration.
h3. Rationale
1. *Security model alignment* - The security model states "All of the above
hold with zero security configuration", meaning the framework should not
require operator action to be safe. With default=true, an HTTP consumer chained
into smtp:// lets an attacker redirect emails by injecting
To/From/Subject/Reply-To headers.
2. *Precedent in the same component* - CAMEL-23522 added
useJavaMailSessionPropertiesFromHeaders with default=false (opt-in). Its commit
message explicitly calls it "the same conceptual pattern as the Camel* header
injection family (CVE-2025-27636)." The useHeader* options are the same pattern
and should follow the same default.
3. *Camel security policy* - The design/security.adoc states: "New defaults err
toward denied unless opted in." Defaulting to true is the opposite.
Routes that explicitly set headers via .setHeader("To", ...) are route-author
code and can add useHeaderRecipients=true to the endpoint URI. Routes where
headers flow through from an untrusted upstream become secure by default.
h3. Global configuration
These options are on MailConfiguration which is shared by the MailComponent, so
they can be set globally for all endpoints via component-level properties:
{code}
camel.component.smtp.useHeaderRecipients=false
camel.component.smtp.useHeaderFrom=false
camel.component.smtp.useHeaderSubject=false
camel.component.smtp.useHeaderReplyTo=false
{code}
This avoids having to set them on every endpoint URI. When the defaults change
to false, users who need the old behavior can restore it globally with the
inverse (=true).
This change requires an upgrade guide entry documenting the new defaults and
the one-line migration.
was:
The new useHeaderRecipients, useHeaderFrom, useHeaderReplyTo, and
useHeaderSubject options added in CAMEL-23520 currently default to true
(backward compatible). They should default to false (secure by default) to
prevent untrusted exchange headers from overriding endpoint URI mail
configuration.
h3. Rationale
1. *Security model alignment* - The security model states "All of the above
hold with zero security configuration", meaning the framework should not
require operator action to be safe. With default=true, an HTTP consumer chained
into smtp:// lets an attacker redirect emails by injecting
To/From/Subject/Reply-To headers.
2. *Precedent in the same component* - CAMEL-23522 added
useJavaMailSessionPropertiesFromHeaders with default=false (opt-in). Its commit
message explicitly calls it "the same conceptual pattern as the Camel* header
injection family (CVE-2025-27636)." The useHeader* options are the same pattern
and should follow the same default.
3. *Camel security policy* - The design/security.adoc states: "New defaults err
toward denied unless opted in." Defaulting to true is the opposite.
Routes that explicitly set headers via .setHeader("To", ...) are route-author
code and can add useHeaderRecipients=true to the endpoint URI. Routes where
headers flow through from an untrusted upstream become secure by default.
This change requires an upgrade guide entry documenting the new defaults and
the one-line migration (add useHeaderRecipients=true etc. to the endpoint URI).
> camel-mail - useHeader* options should default to false for secure-by-default
> -----------------------------------------------------------------------------
>
> Key: CAMEL-23747
> URL: https://issues.apache.org/jira/browse/CAMEL-23747
> Project: Camel
> Issue Type: Improvement
> Reporter: Claus Ibsen
> Priority: Major
> Labels: security
>
> The new useHeaderRecipients, useHeaderFrom, useHeaderReplyTo, and
> useHeaderSubject options added in CAMEL-23520 currently default to true
> (backward compatible). They should default to false (secure by default) to
> prevent untrusted exchange headers from overriding endpoint URI mail
> configuration.
> h3. Rationale
> 1. *Security model alignment* - The security model states "All of the above
> hold with zero security configuration", meaning the framework should not
> require operator action to be safe. With default=true, an HTTP consumer
> chained into smtp:// lets an attacker redirect emails by injecting
> To/From/Subject/Reply-To headers.
> 2. *Precedent in the same component* - CAMEL-23522 added
> useJavaMailSessionPropertiesFromHeaders with default=false (opt-in). Its
> commit message explicitly calls it "the same conceptual pattern as the Camel*
> header injection family (CVE-2025-27636)." The useHeader* options are the
> same pattern and should follow the same default.
> 3. *Camel security policy* - The design/security.adoc states: "New defaults
> err toward denied unless opted in." Defaulting to true is the opposite.
> Routes that explicitly set headers via .setHeader("To", ...) are route-author
> code and can add useHeaderRecipients=true to the endpoint URI. Routes where
> headers flow through from an untrusted upstream become secure by default.
> h3. Global configuration
> These options are on MailConfiguration which is shared by the MailComponent,
> so they can be set globally for all endpoints via component-level properties:
> {code}
> camel.component.smtp.useHeaderRecipients=false
> camel.component.smtp.useHeaderFrom=false
> camel.component.smtp.useHeaderSubject=false
> camel.component.smtp.useHeaderReplyTo=false
> {code}
> This avoids having to set them on every endpoint URI. When the defaults
> change to false, users who need the old behavior can restore it globally with
> the inverse (=true).
> This change requires an upgrade guide entry documenting the new defaults and
> the one-line migration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
