Return-Path: X-Original-To: apmail-camel-users-archive@www.apache.org Delivered-To: apmail-camel-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B5F7F1888D for ; Wed, 5 Aug 2015 12:53:41 +0000 (UTC) Received: (qmail 82140 invoked by uid 500); 5 Aug 2015 12:53:41 -0000 Delivered-To: apmail-camel-users-archive@camel.apache.org Received: (qmail 82094 invoked by uid 500); 5 Aug 2015 12:53:41 -0000 Mailing-List: contact users-help@camel.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@camel.apache.org Delivered-To: mailing list users@camel.apache.org Received: (qmail 82082 invoked by uid 99); 5 Aug 2015 12:53:41 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Aug 2015 12:53:41 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 9357BC0045 for ; Wed, 5 Aug 2015 12:53:40 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.9 X-Spam-Level: ** X-Spam-Status: No, score=2.9 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id RzLRPpm4brBn for ; Wed, 5 Aug 2015 12:53:33 +0000 (UTC) Received: from mail-la0-f42.google.com (mail-la0-f42.google.com [209.85.215.42]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 5DD2324B17 for ; Wed, 5 Aug 2015 12:53:32 +0000 (UTC) Received: by labkb6 with SMTP id kb6so6124115lab.2 for ; Wed, 05 Aug 2015 05:53:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=u7gOb2cLgyojycanOAJOmJ9AwhdrW9gGRWjnbf7g1s0=; b=ShS9OJWFz29zZc6MWiz5B+C/GVIpp/8Qd/bbe6noOObGkMGpatArJcXrItNkjHae6n YiJiNGGhdRtlbk+h08wjHpa6ABeMgwKqZPT14ruJ8UhUTsgIntexcVDQHCCXdRWrk7lw 2EMPkKGZWREssT2VkZxReT9auwtHee5/GuNLW3dFpkJwp73FopUBUQmQLmkXxJBq0hf9 6yyBmVHGW0H1lHtu4xG/DKW0o2A9Y86D+jlr9KR7N4jtcGzcBmKuNID6p0tR9G7zOqwy ggRj2ukXycTyIk9pnPthI3R+Q6axmczos6i0isgi8537oAKuCxW6mIXlRFadv9Q4MoVH QLIA== MIME-Version: 1.0 X-Received: by 10.112.159.162 with SMTP id xd2mr9000082lbb.67.1438779206381; Wed, 05 Aug 2015 05:53:26 -0700 (PDT) Received: by 10.25.33.147 with HTTP; Wed, 5 Aug 2015 05:53:26 -0700 (PDT) In-Reply-To: References: Date: Wed, 5 Aug 2015 13:53:26 +0100 Message-ID: Subject: Re: [security] http4 endpoint headers "leaking" From: James Green To: users Content-Type: multipart/alternative; boundary=001a11c30f8681b51f051c8fe386 --001a11c30f8681b51f051c8fe386 Content-Type: text/plain; charset=UTF-8 To follow-up, are we clear that the bug is when a remote HTTP server is called via to(http4:...) ? The remote side gets to see all the exchange headers, which is the leak. >From your email I was reading you thought it was to do with the consumer being wrong but it's the producer we're seeing bad things on. I'm no expert but I'm not seeing anything obvious to fix this in the commit. Thanks, James On 5 August 2015 at 10:04, James Green wrote: > We're using to - i.e. a producer. ..to(http4:some.host) and some.host gets > all the headers in the request. > > > On 5 August 2015 at 09:57, Claus Ibsen wrote: > >> Hi >> >> Yeah the http filter was filtering only for the producer. We should do >> it for the consumer as well, so camel-jetty etc do not include Camel >> headers in the http responses by default. >> >> There is plenty of options already we should not add more. >> >> I logged a ticket to let the http filter strategy filter those for >> both the producer and consumer >> https://issues.apache.org/jira/browse/CAMEL-9052 >> >> >> >> On Wed, Aug 5, 2015 at 9:51 AM, James Green >> wrote: >> > We recently had cause to tcpdump an http request from the http4 >> component >> > to a web site. We were most surprised to find a load of exchange headers >> > listed as HTTP "header: value" pairs. >> > >> > A quick search on-line brings up a couple of Red Hat / Fuse documents >> > saying that headers named 'Camel...' are not transmitted onwards, others >> > are. >> > >> > Two concerns: >> > >> > 1. We see no documentation concerning this on the http4 component's page >> > 2. There may be a great many applications deployed unintentionally >> > transmitting internal headers to third parties potentially in breach of >> > policy or legal restrictions without human knowledge >> > >> > I suggest adding a new option, CopyAllHeadersToHttpHeaders, defaulted to >> > false. This would allow developers to "correct" their applications >> without >> > code changes, and those taking advantage of this facility can switch it >> on >> > explicitly. >> > >> > This isn't a Camel security vulnerability but I very much expect it to >> be >> > leading to information leakage "out there". It is certainly not a >> behaviour >> > we expected to see given the documentation. There may be other >> components >> > that require similar attention. >> > >> > Thoughts? >> > >> > James >> >> >> >> -- >> Claus Ibsen >> ----------------- >> http://davsclaus.com @davsclaus >> Camel in Action 2nd edition: http://www.manning.com/ibsen2 >> > > --001a11c30f8681b51f051c8fe386--