From 5175041cc58e600259431947b70a73bdd525075c Mon Sep 17 00:00:00 2001 From: Andrea Cosentino Date: Thu, 21 May 2026 13:09:02 +0200 Subject: [PATCH] CAMEL-23522: doc-sync 4.14 upgrade guide for camel-mail mail.smtp.* gating Mirror the 4.14.x upgrade-guide entry for CAMEL-23522 (camel-mail - gate JavaMail session properties from headers behind opt-in) onto main, per the project's backport upgrade-guide policy: the camel-4x-upgrade-guide-4_XX.adoc files on main act as the canonical history across all releases, so any entry added on a maintenance branch must also land here. Companion to the backport PR against camel-4.14.x (#23416), the 4.18.x backport (#23381), the 4.18 doc-sync (#23383) and the main PR (#23362). Signed-off-by: Andrea Cosentino --- .../pages/camel-4x-upgrade-guide-4_14.adoc | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc index ed843ccc9bbd2..4c4579f9ebf95 100644 --- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc +++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc @@ -179,6 +179,29 @@ work without changes. Routes that set the header by its literal string value (for example `setHeader("SEARCH_QUERY", ...)`) must be updated to use the new value (`setHeader("CamelElasticsearchSearchQuery", ...)`). +=== camel-mail + +The SMTP producer no longer extracts dynamic JavaMail session properties from message headers by +default. Previously any message header whose key started with `mail.smtp.` was applied to a +per-message `JavaMailSender`, which meant an upstream producer that mapped untrusted input into the +exchange header map (for example `platform-http` query parameters, JMS or Kafka messages from +untrusted producers) could override transport-security settings such as `mail.smtp.ssl.trust` or +`mail.smtp.starttls.enable`, or redirect the SMTP connection. + +This behaviour is now disabled by default. Routes that legitimately rely on per-message +`mail.smtp.*` headers must opt back in on the endpoint: + +[source,java] +---- +.to("smtp://mymailserver:1234?useJavaMailSessionPropertiesFromHeaders=true"); +---- + +Even with the opt-in, route authors should still strip the namespace with +`removeHeaders("mail.smtp.*")` between any untrusted ingress and the mail producer. + +In addition, the inbound `MailHeaderFilterStrategy` now blocks the `mail.smtp.` / `mail.smtps.` +prefix as well, so an external mail message can no longer inject these into a downstream exchange. + == Upgrading from 4.14.2 to 4.14.3 === camel-tika