You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by da...@apache.org on 2023/01/02 14:51:38 UTC

[camel] branch main updated: CAMEL-18825: Fix https://github.com/apache/camel/security/code-scanning/49

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/main by this push:
     new 6dcdfb748f8 CAMEL-18825: Fix https://github.com/apache/camel/security/code-scanning/49
6dcdfb748f8 is described below

commit 6dcdfb748f8fc21456af4d9d6d141cedbd20469e
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Mon Jan 2 15:51:29 2023 +0100

    CAMEL-18825: Fix https://github.com/apache/camel/security/code-scanning/49
---
 .../src/main/java/org/apache/camel/component/mail/MailBinding.java    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/components/camel-mail/src/main/java/org/apache/camel/component/mail/MailBinding.java b/components/camel-mail/src/main/java/org/apache/camel/component/mail/MailBinding.java
index 6a95c81934a..709daa7b46b 100644
--- a/components/camel-mail/src/main/java/org/apache/camel/component/mail/MailBinding.java
+++ b/components/camel-mail/src/main/java/org/apache/camel/component/mail/MailBinding.java
@@ -369,6 +369,10 @@ public class MailBinding {
             } else {
                 String disposition = part.getDisposition();
                 String fileName = part.getFileName();
+                // fix file name if using malicious parameter name
+                if (fileName != null) {
+                    fileName = fileName.replaceAll("[\n\r\t]", "_");
+                }
 
                 if (isAttachment(disposition) && (fileName == null || fileName.isEmpty())) {
                     if (generateMissingAttachmentNames != null