Skip to content

fix(security): close #140 — migrate constant-only commons-httpclient callers to org.apache.http (SEC-03)#159

Open
NSchatz wants to merge 7 commits into
Innovar-Healthcare:bridgelink_developmentfrom
NSchatz:fix/issue-140-httpclient-migrate
Open

fix(security): close #140 — migrate constant-only commons-httpclient callers to org.apache.http (SEC-03)#159
NSchatz wants to merge 7 commits into
Innovar-Healthcare:bridgelink_developmentfrom
NSchatz:fix/issue-140-httpclient-migrate

Conversation

@NSchatz
Copy link
Copy Markdown

@NSchatz NSchatz commented May 14, 2026
edited
Loading

Summary

Closes #140.

Migrates the three constant-only commons-httpclient 3.0.1 callers to the already-vendored org.apache.http (httpcore-4.4.13.jar / httpclient-4.5.13.jar). Per CONTEXT.md, commons-httpclient-3.0.1.jar STAYS on the classpath because WebDavConnection.java still depends on it at runtime (Apache Slide WebDAV). Full WebDAV migration is deferred to SEC-V2-01.

Changes

  • server/src/com/mirth/connect/connectors/http/HttpReceiver.java line 75 — import swap. All HttpStatus.SC_* usage sites (lines 483, 485, 529, 550, 722, 815) byte-unchanged (constant names identical between 3.x and 4.x).
  • server/src/com/mirth/connect/server/MirthWebServer.java line 43 — import swap. Usage sites (lines 927, 956, 960) byte-unchanged.
  • server/src/com/mirth/connect/client/core/ConnectServiceUtil.java line 20 — import swap. Usage sites (lines 79, 115, 173, 224) byte-unchanged. (This file already imported other org.apache.http.* classes; the HttpStatus import was the lone remaining 3.x reference.)
  • server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java — inline // TODO comment referencing SEC-V2-01 (Sardine migration deferred; Apache Slide HttpURL / HttpsURL runtime dependency).
  • server/src/com/mirth/connect/server/userutil/HTTPUtil.java — inline // TODO comment referencing SEC-V2-01 companion (HttpParser.parseHeaders() rewrite deferred — no direct 4.x equivalent).
  • SECURITY.md — appended a new "Known residual dependencies" section disclosing the residual commons-httpclient-3.0.1.jar on classpath.

Per RESEARCH.md, NO build.xml modification is required: the classpath is a glob <fileset dir="${lib}" includes="**/*.jar" /> — the jar stays on disk and resolves transitively.

Scope clarifications

  • Three constant-only callers migrated (HttpReceiver, MirthWebServer, ConnectServiceUtil).
  • WebDavConnection.java and HTTPUtil.java intentionally NOT migrated — both require behavior-level API rewrites and are deferred to SEC-V2-01 / SEC-V2-01 companion in the next milestone. Inline // TODO comments mark the deferral.
  • commons-httpclient-3.0.1.jar retained on classpath at server/lib/commons/commons-httpclient-3.0.1.jar — required by WebDavConnection.java at runtime.
  • server/build.xml not modified — the classpath is a glob (<fileset dir="${lib}" includes="**/*.jar" />); no individual jar entry exists to annotate. The two inline // TODO comments serve the discoverability intent.
  • Residual CVE exposure disclosed in SECURITY.md under a new "Known residual dependencies" section.

Test plan

  • Per-file gate grep: grep -n "org.apache.commons.httpclient" <three target files> returns ZERO matches.
  • Each target file contains exactly one import org.apache.http.HttpStatus; line.
  • find server/lib -name 'commons-httpclient-3.0.1.jar' | wc -l returns 1 (jar still on disk for WebDAV).
  • Transitive scan: no other jar in server/lib bundles org/apache/commons/httpclient/ classes.
  • Deferred files (WebDavConnection.java, HTTPUtil.java) still import from org.apache.commons.httpclient (intentional — runtime resolution preserved) and now carry an explicit // TODO referencing SEC-V2-01.
  • ant -f server/build.xml compiledeferred to CI: ant/java not available in the executor's local environment. Compile validation falls back to GitHub Actions on push.
  • ant -f server/build.xml test -Dtest=DigesterTest and -Dtest=DefaultUserControllerTestdeferred to CI (same reason).
  • Runtime WebDAV smoke test (manual; described in .planning/phases/01-security-cluster/01-VALIDATION.md).
  • Second-set-of-eyes review.

Residual risk disclosed

commons-httpclient-3.0.1.jar remains on classpath for the WebDAV WebDavConnection.java runtime dependency. CVE-2012-5783, CVE-2014-3577, and CVE-2015-5262 remain exposed in that code path until SEC-V2-01 lands. The migrated call sites (HttpReceiver, MirthWebServer, ConnectServiceUtil) are no longer exposed.

Local test verification (2026-05-13)

Ant 1.10.14 + OpenJDK 17.0.18.

  • ant -f server/build.xml compileBUILD SUCCESSFUL (48s)

  • ant -f server/build.xml test-compileBUILD SUCCESSFUL (20s)

  • java org.junit.runner.JUnitCore on the four test classes that exercise the migrated files:

    • com.mirth.connect.server.MirthWebServerTest
    • com.mirth.connect.connectors.http.HttpReceiverTest
    • com.mirth.connect.connectors.http.HttpListenerRequestHeaderSizeTest
    • com.mirth.connect.connectors.http.HttpReceiverPropertiesTest

    Result: 107 of 108 tests pass in 7.7s.

    The single failure — MirthWebServerTest.testContextPathNormalizationHandlesEmpty (expected /, was empty string) — is pre-existing on bridgelink_development: rerunning the same test on trunk (bridgelink_development HEAD afcfa7160) produces the identical failure. Unrelated to the commons-httpclient import migration.

  • Production-code grep gate: grep -n "org.apache.commons.httpclient" server/src/com/mirth/connect/connectors/http/HttpReceiver.java server/src/com/mirth/connect/server/MirthWebServer.java server/src/com/mirth/connect/client/core/ConnectServiceUtil.java returns zero matches. Each target file imports org.apache.http.HttpStatus exactly once.

  • Deferred files (WebDavConnection.java, HTTPUtil.java) still resolve their org.apache.commons.httpclient imports — commons-httpclient-3.0.1.jar retained at server/lib/commons/commons-httpclient-3.0.1.jar. Server compiles cleanly with the deferred-file // TODO markers in place.

NSchatz and others added 7 commits May 13, 2026 22:34
@NSchatz @claude
fix(140): migrate HttpReceiver.java to org.apache.http imports
9d4a9e2 
Swap line 75 import from `org.apache.commons.httpclient.HttpStatus`
to `org.apache.http.HttpStatus`. Constant names (SC_OK,
SC_INTERNAL_SERVER_ERROR) are identical between commons-httpclient 3.x
and httpcore 4.4.13; all six callsites (lines 483, 485, 529, 550, 722,
815) remain byte-unchanged.

Eliminates exposure to CVE-2012-5783, CVE-2014-3577, CVE-2015-5262 in
this caller. WebDAV path (WebDavConnection.java) still uses 3.x at
runtime — disclosed in SECURITY.md and tracked in SEC-V2-01.

Refs Innovar-Healthcare#140 (SEC-03)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@NSchatz @claude
fix(140): migrate MirthWebServer.java to org.apache.http imports
47835ac 
Swap line 43 import from `org.apache.commons.httpclient.HttpStatus`
to `org.apache.http.HttpStatus`. Constant names (SC_OK,
SC_INTERNAL_SERVER_ERROR, SC_NOT_FOUND) are identical between
commons-httpclient 3.x and httpcore 4.4.13; all three callsites
(lines 927, 956, 960) remain byte-unchanged.

Eliminates exposure to CVE-2012-5783, CVE-2014-3577, CVE-2015-5262 in
this caller. WebDAV path (WebDavConnection.java) still uses 3.x at
runtime — disclosed in SECURITY.md and tracked in SEC-V2-01.

Refs Innovar-Healthcare#140 (SEC-03)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@NSchatz @claude
fix(140): migrate ConnectServiceUtil.java to org.apache.http imports
51c12a2 
Swap line 20 import from `org.apache.commons.httpclient.HttpStatus`
to `org.apache.http.HttpStatus`. Constant names (SC_OK,
SC_MOVED_TEMPORARILY) are identical between commons-httpclient 3.x
and httpcore 4.4.13; all four callsites (lines 79, 115, 173, 224)
remain byte-unchanged.

Note: this file already imported `org.apache.http.HttpEntity`,
`NameValuePair`, and `StatusLine` on adjacent lines — the
`HttpStatus` import was the lone remaining 3.x reference. The file
now uses a single coherent httpcomponents 4.x stack.

Eliminates exposure to CVE-2012-5783, CVE-2014-3577, CVE-2015-5262
in this caller. WebDAV path (WebDavConnection.java) still uses 3.x
at runtime — disclosed in SECURITY.md and tracked in SEC-V2-01.

Refs Innovar-Healthcare#140 (SEC-03)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@NSchatz @claude
chore(140): document deferred httpclient migration in WebDavConnectio…
cd998d0 
…n.java

Add a single-line TODO comment immediately above the
`org.apache.commons.httpclient.HttpURL` / `HttpsURL` imports flagging
that WebDAV migration to Sardine is deferred to SEC-V2-01 (next
milestone). No functional change — imports preserved, runtime
behavior unchanged, `commons-httpclient-3.0.1.jar` remains on
classpath.

Apache Slide WebDAV's `HttpURL` and `HttpsURL` types are runtime
classes for which there is no 4.x equivalent without rewriting the
connector against a different WebDAV client library. CONTEXT.md locks
this deferral.

Refs Innovar-Healthcare#140 (SEC-03)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@NSchatz @claude
chore(140): document deferred httpclient migration in HTTPUtil.java
14d24f9 
Add a single-line TODO comment immediately above the
`org.apache.commons.httpclient.Header` / `HttpParser` imports flagging
that this caller's migration to `org.apache.http` is deferred to the
SEC-V2-01 companion task. No functional change — imports preserved,
runtime behavior unchanged.

`HttpParser.parseHeaders(InputStream, String)` from commons-httpclient
3.x has no direct equivalent in httpcomponents 4.x; the deferral is a
behavior-level API rewrite, not a constant swap. CONTEXT.md locks
this deferral.

Refs Innovar-Healthcare#140 (SEC-03)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@NSchatz @claude
docs(140): disclose residual commons-httpclient classpath exposure in…
32e3d5e 
… SECURITY.md

Append a new "Known residual dependencies" section to SECURITY.md
disclosing that `commons-httpclient-3.0.1.jar` remains on the server
classpath for `WebDavConnection.java` runtime resolution (Apache
Slide WebDAV). Tracked for removal under SEC-V2-01.

This completes the user-visible disclosure pair for Innovar-Healthcare#140: the three
constant-only callers (`HttpReceiver`, `MirthWebServer`,
`ConnectServiceUtil`) have been migrated to `org.apache.http`; the
remaining 3.x exposure is scoped to the WebDAV ingest path, which
will be addressed in the SEC-V2-01 follow-up milestone.

Closes Innovar-Healthcare#140 (SEC-03)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@NSchatz
docs(140): correct contradictory residual-CVE statement in SECURITY.m…
0b7e0ae 
…d (WR-05)

The original disclosure asserted 'No other callers reference 3.x APIs
as of Innovar-Healthcare#140 merge,' but the same PR explicitly retained 3.x imports in
both WebDavConnection.java (HttpURL / HttpsURL) and HTTPUtil.java
(Header / HttpParser) with TODO markers tracking deferral.

Replace the single-call-site disclosure with an accurate enumeration
of both deferred call sites, the unmigrated CVEs in the retained jar,
and the bounded-exposure statement.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Apache commons vulnerability in httpclient 3.0.1 library

1 participant

@NSchatz