[ 
https://issues.apache.org/jira/browse/CAMEL-23891?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrea Cosentino updated CAMEL-23891:
-------------------------------------
    Fix Version/s: 4.14.9
                   4.18.4
                       (was: 4.18.3)
                       (was: 4.14.8)
      Description: 
When {{MimeMultipartDataFormat}} unmarshals a MIME message with 
{{headersInline=true}}, {{copyNonStandardHeaders()}} copies every MIME header 
(except {{Message-ID}}, {{MIME-Version}} and {{Content-Type}}) directly into 
the Camel message header map via {{Message.setHeader(...)}}, with no 
{{HeaderFilterStrategy}} applied. As a result, MIME header names in Camel's 
internal {{Camel*}} / {{org.apache.camel.*}} namespace are promoted into the 
{{Exchange}} as-is.

This is inconsistent with:
* the camel-mail _consumer_ path, which applies {{MailHeaderFilterStrategy}} 
(extends {{DefaultHeaderFilterStrategy}}) and filters the {{Camel*}} / 
{{org.apache.camel.*}} namespace case-insensitively on the inbound direction;
* the data format's own _marshal_ path, where inline headers are copied only 
when they match an explicit {{includeHeaders}} pattern (opt-in), whereas the 
unmarshal path copies everything;
* the general convention that inbound mappers apply a strict, case-insensitive 
{{HeaderFilterStrategy}} for the {{Camel*}} namespace.

h4. Proposed change
* In {{copyNonStandardHeaders(...)}} (and, for consistency, the 
attachment-header copy in {{extractAttachments(...)}}), skip header names in 
the {{Camel*}} / {{org.apache.camel.*}} namespace, matched case-insensitively 
-- e.g. by delegating to 
{{DefaultHeaderFilterStrategy.applyFilterToExternalHeaders(...)}} rather than 
re-implementing prefix checks.
* Optionally expose a configurable {{HeaderFilterStrategy}} on the data format 
(defaulting to the strict behaviour) so a route author who genuinely needs such 
headers can opt in explicitly, preserving backwards compatibility where 
required.
* Add unit tests: (a) an inbound {{Camel*}} MIME header is not promoted by 
default; (b) ordinary application headers (e.g. {{X-...}}) still pass through; 
(c) case-insensitive matching ({{camelXxx}}, {{CAMELXxx}}).

h4. Affected files
* 
{{components/camel-mail/src/main/java/org/apache/camel/dataformat/mime/multipart/MimeMultipartDataFormat.java}}
* tests under {{components/camel-mail/src/test/java/...}}

h4. Documentation
Note the behaviour change in the camel-mail data format docs and the 4.x 
upgrade guide: default-deny of inbound {{Camel*}} headers on 
{{headersInline=true}} unmarshal is a potential behaviour change for routes 
relying on the prior pass-through.

h4. Backport
The code is identical on {{main}}, {{camel-4.18.x}} and {{camel-4.14.x}} 
(present since 2.17.0). To be backported to the active maintenance lines 
(4.18.4 and 4.14.9). The freshly-cut {{camel-4.21.x}} line is also affected; a 
4.21.1 backport should be included if that line receives a maintenance release.

  was:
When {{MimeMultipartDataFormat}} unmarshals a MIME message with 
{{headersInline=true}}, {{copyNonStandardHeaders()}} copies every MIME header 
(except {{Message-ID}}, {{MIME-Version}} and {{Content-Type}}) directly into 
the Camel message header map via {{Message.setHeader(...)}}, with no 
{{HeaderFilterStrategy}} applied. As a result, MIME header names in Camel's 
internal {{Camel*}} / {{org.apache.camel.*}} namespace are promoted into the 
{{Exchange}} as-is.

This is inconsistent with:
* the camel-mail _consumer_ path, which applies {{MailHeaderFilterStrategy}} 
(extends {{DefaultHeaderFilterStrategy}}) and filters the {{Camel*}} / 
{{org.apache.camel.*}} namespace case-insensitively on the inbound direction;
* the data format's own _marshal_ path, where inline headers are copied only 
when they match an explicit {{includeHeaders}} pattern (opt-in), whereas the 
unmarshal path copies everything;
* the general convention that inbound mappers apply a strict, case-insensitive 
{{HeaderFilterStrategy}} for the {{Camel*}} namespace.

h4. Proposed change
* In {{copyNonStandardHeaders(...)}} (and, for consistency, the 
attachment-header copy in {{extractAttachments(...)}}), skip header names in 
the {{Camel*}} / {{org.apache.camel.*}} namespace, matched case-insensitively 
-- e.g. by delegating to 
{{DefaultHeaderFilterStrategy.applyFilterToExternalHeaders(...)}} rather than 
re-implementing prefix checks.
* Optionally expose a configurable {{HeaderFilterStrategy}} on the data format 
(defaulting to the strict behaviour) so a route author who genuinely needs such 
headers can opt in explicitly, preserving backwards compatibility where 
required.
* Add unit tests: (a) an inbound {{Camel*}} MIME header is not promoted by 
default; (b) ordinary application headers (e.g. {{X-...}}) still pass through; 
(c) case-insensitive matching ({{camelXxx}}, {{CAMELXxx}}).

h4. Affected files
* 
{{components/camel-mail/src/main/java/org/apache/camel/dataformat/mime/multipart/MimeMultipartDataFormat.java}}
* tests under {{components/camel-mail/src/test/java/...}}

h4. Documentation
Note the behaviour change in the camel-mail data format docs and the 4.x 
upgrade guide: default-deny of inbound {{Camel*}} headers on 
{{headersInline=true}} unmarshal is a potential behaviour change for routes 
relying on the prior pass-through.

h4. Backport
The code is identical on {{main}}, {{camel-4.18.x}} and {{camel-4.14.x}} 
(present since 2.17.0). To be backported to the active maintenance lines 
(4.18.3 and 4.14.8). The freshly-cut {{camel-4.21.x}} line is also affected; a 
4.21.1 backport should be included if that line receives a maintenance release.


> camel-mail: apply inbound Camel* header filtering in MimeMultipartDataFormat 
> unmarshal (headersInline=true), consistent with the mail consumer
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-23891
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23891
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-mail
>            Reporter: Andrea Cosentino
>            Assignee: Andrea Cosentino
>            Priority: Major
>             Fix For: 4.14.9, 4.18.4, 4.22.0
>
>
> When {{MimeMultipartDataFormat}} unmarshals a MIME message with 
> {{headersInline=true}}, {{copyNonStandardHeaders()}} copies every MIME header 
> (except {{Message-ID}}, {{MIME-Version}} and {{Content-Type}}) directly into 
> the Camel message header map via {{Message.setHeader(...)}}, with no 
> {{HeaderFilterStrategy}} applied. As a result, MIME header names in Camel's 
> internal {{Camel*}} / {{org.apache.camel.*}} namespace are promoted into the 
> {{Exchange}} as-is.
> This is inconsistent with:
> * the camel-mail _consumer_ path, which applies {{MailHeaderFilterStrategy}} 
> (extends {{DefaultHeaderFilterStrategy}}) and filters the {{Camel*}} / 
> {{org.apache.camel.*}} namespace case-insensitively on the inbound direction;
> * the data format's own _marshal_ path, where inline headers are copied only 
> when they match an explicit {{includeHeaders}} pattern (opt-in), whereas the 
> unmarshal path copies everything;
> * the general convention that inbound mappers apply a strict, 
> case-insensitive {{HeaderFilterStrategy}} for the {{Camel*}} namespace.
> h4. Proposed change
> * In {{copyNonStandardHeaders(...)}} (and, for consistency, the 
> attachment-header copy in {{extractAttachments(...)}}), skip header names in 
> the {{Camel*}} / {{org.apache.camel.*}} namespace, matched case-insensitively 
> -- e.g. by delegating to 
> {{DefaultHeaderFilterStrategy.applyFilterToExternalHeaders(...)}} rather than 
> re-implementing prefix checks.
> * Optionally expose a configurable {{HeaderFilterStrategy}} on the data 
> format (defaulting to the strict behaviour) so a route author who genuinely 
> needs such headers can opt in explicitly, preserving backwards compatibility 
> where required.
> * Add unit tests: (a) an inbound {{Camel*}} MIME header is not promoted by 
> default; (b) ordinary application headers (e.g. {{X-...}}) still pass 
> through; (c) case-insensitive matching ({{camelXxx}}, {{CAMELXxx}}).
> h4. Affected files
> * 
> {{components/camel-mail/src/main/java/org/apache/camel/dataformat/mime/multipart/MimeMultipartDataFormat.java}}
> * tests under {{components/camel-mail/src/test/java/...}}
> h4. Documentation
> Note the behaviour change in the camel-mail data format docs and the 4.x 
> upgrade guide: default-deny of inbound {{Camel*}} headers on 
> {{headersInline=true}} unmarshal is a potential behaviour change for routes 
> relying on the prior pass-through.
> h4. Backport
> The code is identical on {{main}}, {{camel-4.18.x}} and {{camel-4.14.x}} 
> (present since 2.17.0). To be backported to the active maintenance lines 
> (4.18.4 and 4.14.9). The freshly-cut {{camel-4.21.x}} line is also affected; 
> a 4.21.1 backport should be included if that line receives a maintenance 
> release.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to