[backport camel-4.18.x] CAMEL-23522: camel-mail - gate JavaMail session properties from headers behind opt-in#23381
Merged
oscerd merged 1 commit intoMay 21, 2026
Conversation
…rs behind opt-in (apache#23362) MailProducer.getSender extracted mail.smtp.* / mail.smtps. exchange headers and applied them as JavaMail session properties on a per-message custom sender. The namespace is Camel-internal (only MailProducer interprets it) and is not filtered by any HeaderFilterStrategy, so a route chaining an untrusted producer (platform-http, JMS, Kafka, ...) into smtp/smtps without an explicit removeHeaders between them let an attacker drive transport-security settings (mail.smtp.ssl.trust, mail.smtp.starttls.enable, mail.smtp.socks.host, ...). This is the same conceptual pattern as the Camel* header injection family (CAMEL-23222 / CVE-2025-27636), with a namespace that was missed in that sweep. Changes: * New @UriParam useJavaMailSessionPropertiesFromHeaders (default false, label producer,advanced,security, security=insecure:ssl) on MailConfiguration. When false, MailProducer.getSender always returns the default sender. * MailHeaderFilterStrategy now also filters mail.smtp. / mail.smtps. on the inbound path (defense in depth, mirroring CAMEL-23222). * Doc note in mail-component.adoc with the security warning and the opt-in URI. * Upgrade-guide entry in camel-4x-upgrade-guide-4_21.adoc. * Tests for both flag values and for the header-filter strategy behaviour. The build's SECURITY-OPTIONS generator picked up the new annotation and added the property to the policy-enforceable map in core/camel-util SecurityUtils. Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
davsclaus
approved these changes
May 20, 2026
2 tasks
Croway
approved these changes
May 20, 2026
oscerd
added a commit
that referenced
this pull request
May 21, 2026
…ating (#23383) Mirror the 4.18.x upgrade-guide entry for CAMEL-23522 (camel-mail - gate JavaMail session properties from headers behind opt-in) onto main, per the project's backport upgrade-guide policy: the camel-4x-upgrade-guide-4_XX.adoc files on main act as the canonical history across all releases, so any entry added on a maintenance branch must also land here. Companion to the backport PR against camel-4.18.x (#23381) and the main PR (#23362). Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #23362
Cherry-pick of #23362 onto
camel-4.18.x(Jira: CAMEL-23522, fixVersion4.18.3).Original PR: #23362 — CAMEL-23522: camel-mail - gate JavaMail session properties from headers behind opt-in
Original author: @oscerd
Target branch:
camel-4.18.xBranch-specific adjustments
security = "insecure:ssl"attribute was removed from the@UriParam.@UriParam.securitywas introduced together with the security-policy enforcement framework (CAMEL-23250 /core/camel-util/SecurityUtils), which lives only onmain/ 4.21. On 4.18.x the categorisation is preserved throughlabel = "producer,advanced,security"only.core/camel-util/SecurityUtilschange was dropped for the same reason — the file does not exist on this branch.camel-4x-upgrade-guide-4_18.adocunder "Upgrading from 4.18.2 to 4.18.3" (the 4_21 file used onmaindoes not exist on this branch).xref:manual::security-model.adoc[…]cross-link inmail-component.adocwas dropped becausesecurity-model.adocwas introduced onmainonly (CAMEL-23496) and is not present on 4.18.x — the xref-check would fail.org.apache.camel.test.junit5.CamelTestSupport(instead of thejunit6package used onmain).A separate doc-sync PR will mirror the 4.18 upgrade-guide entry onto
main, per the project's "Backport upgrade-guide policy" in CLAUDE.md.Verification on
camel-4.18.xmvn testincomponents/camel-mail— 218/218 pass (4 skipped, no failures); 7 new tests green (MailSessionPropertiesFromHeadersTest+MailHeaderFilterStrategyTest).mvn clean install -DskipTestsexits 0 with all generated catalog mirrors, DSL builder factories, endpoint DSL, and component metadata regenerated and committed.Original description (from #23362)
MailProducer.getSenderextractedmail.smtp.*/mail.smtps.*exchange headers and applied them as JavaMail session properties on a per-message custom sender. The namespace is Camel-internal (onlyMailProducerinterprets it) and is not filtered by anyHeaderFilterStrategy. A route chaining an untrusted producer (e.g.platform-httpquery parameters, JMS/Kafka from untrusted producers) intosmtp/smtpswithout an explicitremoveHeadersbetween them therefore let an attacker drive transport-security settings:mail.smtp.ssl.trust,mail.smtp.ssl.checkserveridentity,mail.smtp.starttls.enable,mail.smtp.socks.host, etc.This is the same conceptual pattern as the
Camel*header-injection family (CAMEL-23222 / CVE-2025-27636), with a namespace that was missed in that sweep. The fix makes the per-message override opt-in (useJavaMailSessionPropertiesFromHeaders, defaultfalse).Claude Code on behalf of Andrea Cosentino