diff --git a/components/camel-mail/pom.xml b/components/camel-mail/pom.xml
index 61b82bb0a6b40..cb288861ab459 100644
--- a/components/camel-mail/pom.xml
+++ b/components/camel-mail/pom.xml
@@ -125,6 +125,12 @@
camel-quartz2
test
+
+ org.assertj
+ assertj-core
+ ${assertj-version}
+ test
+
diff --git a/components/camel-mail/src/main/java/org/apache/camel/component/mail/DelegatingDataSource.java b/components/camel-mail/src/main/java/org/apache/camel/component/mail/DelegatingDataSource.java
new file mode 100644
index 0000000000000..5a8eeac06d9bf
--- /dev/null
+++ b/components/camel-mail/src/main/java/org/apache/camel/component/mail/DelegatingDataSource.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.mail;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import javax.activation.DataSource;
+
+import org.apache.camel.util.ObjectHelper;
+import org.apache.camel.util.StringHelper;
+
+final class DelegatingDataSource implements DataSource {
+
+ private final DataSource delegate;
+
+ private final String name;
+
+ public DelegatingDataSource(final String name, final DataSource delegate) {
+ this.name = StringHelper.notEmpty(name, "name");
+ this.delegate = ObjectHelper.notNull(delegate, "DataSource");
+ }
+
+ @Override
+ public String getContentType() {
+ return delegate.getContentType();
+ }
+
+ @Override
+ public InputStream getInputStream() throws IOException {
+ return delegate.getInputStream();
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ @Override
+ public OutputStream getOutputStream() throws IOException {
+ return delegate.getOutputStream();
+ }
+
+}
diff --git a/components/camel-mail/src/main/java/org/apache/camel/component/mail/MailBinding.java b/components/camel-mail/src/main/java/org/apache/camel/component/mail/MailBinding.java
index 2220ac1100016..da89880324124 100644
--- a/components/camel-mail/src/main/java/org/apache/camel/component/mail/MailBinding.java
+++ b/components/camel-mail/src/main/java/org/apache/camel/component/mail/MailBinding.java
@@ -52,6 +52,7 @@
import org.apache.camel.impl.DefaultHeaderFilterStrategy;
import org.apache.camel.spi.HeaderFilterStrategy;
import org.apache.camel.util.CollectionHelper;
+import org.apache.camel.util.FileUtil;
import org.apache.camel.util.IOHelper;
import org.apache.camel.util.ObjectHelper;
import org.slf4j.Logger;
@@ -314,7 +315,7 @@ protected void extractAttachmentsFromMultipart(Multipart mp, Map headers = part.getAllHeaders();
while (headers.hasMoreElements()) {
diff --git a/components/camel-mail/src/test/java/org/apache/camel/component/mail/MailBindingAttachmentFileTest.java b/components/camel-mail/src/test/java/org/apache/camel/component/mail/MailBindingAttachmentFileTest.java
new file mode 100644
index 0000000000000..e77304280d089
--- /dev/null
+++ b/components/camel-mail/src/test/java/org/apache/camel/component/mail/MailBindingAttachmentFileTest.java
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.mail;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+
+import javax.activation.DataHandler;
+import javax.mail.Message;
+import javax.mail.MessagingException;
+import javax.mail.Multipart;
+import javax.mail.Session;
+import javax.mail.internet.MimeBodyPart;
+import javax.mail.internet.MimeMessage;
+import javax.mail.internet.MimeMultipart;
+
+import org.apache.camel.Attachment;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+import org.junit.runners.Parameterized.Parameters;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@RunWith(Parameterized.class)
+public class MailBindingAttachmentFileTest {
+
+ @Parameter
+ public String name;
+
+ private final MailBinding binding = new MailBinding();
+
+ @Test
+ public void shouldSanitizeAttachmentFileNames() throws MessagingException, IOException {
+ final Session session = Session.getInstance(new Properties());
+ final Message message = new MimeMessage(session);
+
+ final Multipart multipart = new MimeMultipart();
+ final MimeBodyPart part = new MimeBodyPart();
+ part.attachFile(name);
+ multipart.addBodyPart(part);
+ message.setContent(multipart);
+
+ final Map attachments = new HashMap<>();
+ binding.extractAttachmentsFromMail(message, attachments);
+
+ assertThat(attachments).containsKey("file.txt");
+ final Attachment attachment = attachments.get("file.txt");
+ final DataHandler dataHandler = attachment.getDataHandler();
+ assertThat(dataHandler.getName()).isEqualTo("file.txt");
+ }
+
+ @Parameters(name = "{0}")
+ public static Iterable fileNames() {
+ return Arrays.asList("file.txt", "../file.txt", "..\\file.txt", "/absolute/file.txt", "c:\\absolute\\file.txt");
+ }
+}