(camel) branch main updated: chore(components): sanitize user input

Sat, 18 Oct 2025 06:21:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/main by this push:
     new 7d73817d7ceb chore(components): sanitize user input
7d73817d7ceb is described below

commit 7d73817d7ceb436cd0d727b4dd765c5be97bcf08
Author: Pasquale Congiusti <[email protected]>
AuthorDate: Fri Oct 10 09:46:14 2025 +0200

    chore(components): sanitize user input
---
 .../java/org/apache/camel/http/common/DefaultHttpBinding.java | 11 ++++++-----
 .../main/java/org/apache/camel/http/common/HttpHelper.java    |  2 +-
 .../apache/camel/component/jetty12/AttachmentHttpBinding.java | 11 ++++++-----
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git 
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
 
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
index 5bb3ad31df62..e0ac3d0126df 100644
--- 
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
+++ 
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
@@ -241,14 +241,15 @@ public class DefaultHttpBinding implements HttpBinding {
             String name = (String) names.nextElement();
             // there may be multiple values for the same name
             String[] values = request.getParameterValues(name);
-            if (LOG.isTraceEnabled()) {
-                LOG.trace("HTTP parameter {} = {}", name, 
HttpHelper.sanitizeLog(values));
-            }
-
             if (values != null) {
+                if (LOG.isTraceEnabled()) {
+                    LOG.trace("HTTP parameter {} = {}", name, 
HttpHelper.sanitizeLog(values));
+                }
                 for (String value : values) {
+                    // use http helper to extract parameter value as it may 
contain multiple values
+                    Object extracted = 
HttpHelper.extractHttpParameterValue(value);
                     if (headerFilterStrategy != null
-                            && 
!headerFilterStrategy.applyFilterToExternalHeaders(name, value, 
message.getExchange())) {
+                            && 
!headerFilterStrategy.applyFilterToExternalHeaders(name, extracted, 
message.getExchange())) {
                         HttpHelper.appendHeader(headers, name, value);
                     }
                 }
diff --git 
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java
 
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java
index 1984dce3130e..42cf8c975989 100644
--- 
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java
+++ 
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java
@@ -288,7 +288,7 @@ public final class HttpHelper {
      * This implementation supports HTTP multi value parameters which is based 
on the syntax of
      * <tt>[value1, value2, value3]</tt> by returning a {@link List} 
containing the values.
      * <p/>
-     * If the value is not a HTTP mulit value the value is returned as is.
+     * If the value is not a HTTP multi value the value is returned as is.
      *
      * @param  value the parameter value
      * @return       the extracted parameter value, see more details in 
javadoc.
diff --git 
a/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/AttachmentHttpBinding.java
 
b/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/AttachmentHttpBinding.java
index a7af8bce33aa..e299db0b555c 100644
--- 
a/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/AttachmentHttpBinding.java
+++ 
b/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/AttachmentHttpBinding.java
@@ -123,14 +123,15 @@ final class AttachmentHttpBinding extends 
DefaultHttpBinding {
 
                 // there may be multiple values for the same name
                 String[] values = request.getParameterValues(name);
-                if (LOG.isTraceEnabled()) {
-                    LOG.trace("HTTP parameter {} = {}", name, 
HttpHelper.sanitizeLog(values));
-                }
-
                 if (values != null) {
+                    if (LOG.isTraceEnabled()) {
+                        LOG.trace("HTTP parameter {} = {}", name, 
HttpHelper.sanitizeLog(values));
+                    }
                     for (String value : values) {
+                        // use http helper to extract parameter value as it 
may contain multiple values
+                        Object extracted = 
HttpHelper.extractHttpParameterValue(value);
                         if (getHeaderFilterStrategy() != null
-                                && 
!getHeaderFilterStrategy().applyFilterToExternalHeaders(name, value,
+                                && 
!getHeaderFilterStrategy().applyFilterToExternalHeaders(name, extracted,
                                         message.getExchange())) {
                             HttpHelper.appendHeader(headers, name, value);
                         }

Reply via email to