[
https://issues.apache.org/jira/browse/CAMEL-23747?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-23747:
--------------------------------
Component/s: camel-mail
> camel-mail - useHeader* options should default to false for secure-by-default
> -----------------------------------------------------------------------------
>
> Key: CAMEL-23747
> URL: https://issues.apache.org/jira/browse/CAMEL-23747
> Project: Camel
> Issue Type: Improvement
> Components: camel-mail
> Reporter: Claus Ibsen
> Priority: Major
> Labels: security
> Fix For: 4.21.0
>
>
> The new useHeaderRecipients, useHeaderFrom, useHeaderReplyTo, and
> useHeaderSubject options added in CAMEL-23520 currently default to true
> (backward compatible). They should default to false (secure by default) to
> prevent untrusted exchange headers from overriding endpoint URI mail
> configuration.
> h3. Rationale
> 1. *Security model alignment* - The security model states "All of the above
> hold with zero security configuration", meaning the framework should not
> require operator action to be safe. With default=true, an HTTP consumer
> chained into smtp:// lets an attacker redirect emails by injecting
> To/From/Subject/Reply-To headers.
> 2. *Precedent in the same component* - CAMEL-23522 added
> useJavaMailSessionPropertiesFromHeaders with default=false (opt-in). Its
> commit message explicitly calls it "the same conceptual pattern as the Camel*
> header injection family (CVE-2025-27636)." The useHeader* options are the
> same pattern and should follow the same default.
> 3. *Camel security policy* - The design/security.adoc states: "New defaults
> err toward denied unless opted in." Defaulting to true is the opposite.
> Routes that explicitly set headers via .setHeader("To", ...) are route-author
> code and can add useHeaderRecipients=true to the endpoint URI. Routes where
> headers flow through from an untrusted upstream become secure by default.
> h3. Global configuration
> These options are on MailConfiguration which is shared by the MailComponent,
> so they can be set globally for all endpoints via component-level properties:
> {code}
> camel.component.smtp.useHeaderRecipients=false
> camel.component.smtp.useHeaderFrom=false
> camel.component.smtp.useHeaderSubject=false
> camel.component.smtp.useHeaderReplyTo=false
> {code}
> This avoids having to set them on every endpoint URI. When the defaults
> change to false, users who need the old behavior can restore it globally with
> the inverse (=true).
> This change requires an upgrade guide entry documenting the new defaults and
> the one-line migration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
