From 9d4a9e2582d416a5a38696581580fae595a07fde Mon Sep 17 00:00:00 2001 From: Noah Schatz Date: Wed, 13 May 2026 22:34:55 -0400 Subject: [PATCH 1/7] fix(140): migrate HttpReceiver.java to org.apache.http imports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Swap line 75 import from `org.apache.commons.httpclient.HttpStatus` to `org.apache.http.HttpStatus`. Constant names (SC_OK, SC_INTERNAL_SERVER_ERROR) are identical between commons-httpclient 3.x and httpcore 4.4.13; all six callsites (lines 483, 485, 529, 550, 722, 815) remain byte-unchanged. Eliminates exposure to CVE-2012-5783, CVE-2014-3577, CVE-2015-5262 in this caller. WebDAV path (WebDavConnection.java) still uses 3.x at runtime — disclosed in SECURITY.md and tracked in SEC-V2-01. Refs #140 (SEC-03) Co-Authored-By: Claude Opus 4.7 (1M context) --- server/src/com/mirth/connect/connectors/http/HttpReceiver.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/com/mirth/connect/connectors/http/HttpReceiver.java b/server/src/com/mirth/connect/connectors/http/HttpReceiver.java index 84430abd3..3c4dad5aa 100644 --- a/server/src/com/mirth/connect/connectors/http/HttpReceiver.java +++ b/server/src/com/mirth/connect/connectors/http/HttpReceiver.java @@ -72,7 +72,7 @@ import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.collections4.ListUtils; import org.apache.commons.fileupload.servlet.ServletFileUpload; -import org.apache.commons.httpclient.HttpStatus; +import org.apache.http.HttpStatus; import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.exception.ExceptionUtils; From 47835ac632f40b52b91bc72a57eaaa42514899a8 Mon Sep 17 00:00:00 2001 From: Noah Schatz Date: Wed, 13 May 2026 22:35:05 -0400 Subject: [PATCH 2/7] fix(140): migrate MirthWebServer.java to org.apache.http imports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Swap line 43 import from `org.apache.commons.httpclient.HttpStatus` to `org.apache.http.HttpStatus`. Constant names (SC_OK, SC_INTERNAL_SERVER_ERROR, SC_NOT_FOUND) are identical between commons-httpclient 3.x and httpcore 4.4.13; all three callsites (lines 927, 956, 960) remain byte-unchanged. Eliminates exposure to CVE-2012-5783, CVE-2014-3577, CVE-2015-5262 in this caller. WebDAV path (WebDavConnection.java) still uses 3.x at runtime — disclosed in SECURITY.md and tracked in SEC-V2-01. Refs #140 (SEC-03) Co-Authored-By: Claude Opus 4.7 (1M context) --- server/src/com/mirth/connect/server/MirthWebServer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/com/mirth/connect/server/MirthWebServer.java b/server/src/com/mirth/connect/server/MirthWebServer.java index fc4681715..354aefbbd 100644 --- a/server/src/com/mirth/connect/server/MirthWebServer.java +++ b/server/src/com/mirth/connect/server/MirthWebServer.java @@ -40,7 +40,7 @@ import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.configuration2.PropertiesConfiguration; -import org.apache.commons.httpclient.HttpStatus; +import org.apache.http.HttpStatus; import org.apache.commons.io.FileUtils; import org.apache.commons.io.IOUtils; import org.apache.commons.io.filefilter.FalseFileFilter; From 51c12a2d037ec174d8186934e26bbfae8a38913a Mon Sep 17 00:00:00 2001 From: Noah Schatz Date: Wed, 13 May 2026 22:35:15 -0400 Subject: [PATCH 3/7] fix(140): migrate ConnectServiceUtil.java to org.apache.http imports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Swap line 20 import from `org.apache.commons.httpclient.HttpStatus` to `org.apache.http.HttpStatus`. Constant names (SC_OK, SC_MOVED_TEMPORARILY) are identical between commons-httpclient 3.x and httpcore 4.4.13; all four callsites (lines 79, 115, 173, 224) remain byte-unchanged. Note: this file already imported `org.apache.http.HttpEntity`, `NameValuePair`, and `StatusLine` on adjacent lines — the `HttpStatus` import was the lone remaining 3.x reference. The file now uses a single coherent httpcomponents 4.x stack. Eliminates exposure to CVE-2012-5783, CVE-2014-3577, CVE-2015-5262 in this caller. WebDAV path (WebDavConnection.java) still uses 3.x at runtime — disclosed in SECURITY.md and tracked in SEC-V2-01. Refs #140 (SEC-03) Co-Authored-By: Claude Opus 4.7 (1M context) --- .../src/com/mirth/connect/client/core/ConnectServiceUtil.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java b/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java index 0056447e2..16e524f6a 100644 --- a/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java +++ b/server/src/com/mirth/connect/client/core/ConnectServiceUtil.java @@ -17,7 +17,7 @@ import java.util.Map; import java.util.Set; -import org.apache.commons.httpclient.HttpStatus; +import org.apache.http.HttpStatus; import org.apache.commons.io.IOUtils; import org.apache.http.HttpEntity; import org.apache.http.NameValuePair; From cd998d0792932e9f906a6cf63c389940ed1ca7f0 Mon Sep 17 00:00:00 2001 From: Noah Schatz Date: Wed, 13 May 2026 22:35:36 -0400 Subject: [PATCH 4/7] chore(140): document deferred httpclient migration in WebDavConnection.java MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a single-line TODO comment immediately above the `org.apache.commons.httpclient.HttpURL` / `HttpsURL` imports flagging that WebDAV migration to Sardine is deferred to SEC-V2-01 (next milestone). No functional change — imports preserved, runtime behavior unchanged, `commons-httpclient-3.0.1.jar` remains on classpath. Apache Slide WebDAV's `HttpURL` and `HttpsURL` types are runtime classes for which there is no 4.x equivalent without rewriting the connector against a different WebDAV client library. CONTEXT.md locks this deferral. Refs #140 (SEC-03) Co-Authored-By: Claude Opus 4.7 (1M context) --- .../connect/connectors/file/filesystems/WebDavConnection.java | 1 + 1 file changed, 1 insertion(+) diff --git a/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java b/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java index fc7209ea6..7c6476aea 100644 --- a/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java +++ b/server/src/com/mirth/connect/connectors/file/filesystems/WebDavConnection.java @@ -16,6 +16,7 @@ import java.util.List; import java.util.Map; +// TODO: migrate to Sardine; blocked by Apache Slide dependency (SEC-V2-01) import org.apache.commons.httpclient.HttpURL; import org.apache.commons.httpclient.HttpsURL; import org.apache.commons.io.filefilter.WildcardFileFilter; From 14d24f95b95637069e56d9fdd5ff4041648fa73a Mon Sep 17 00:00:00 2001 From: Noah Schatz Date: Wed, 13 May 2026 22:35:58 -0400 Subject: [PATCH 5/7] chore(140): document deferred httpclient migration in HTTPUtil.java MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a single-line TODO comment immediately above the `org.apache.commons.httpclient.Header` / `HttpParser` imports flagging that this caller's migration to `org.apache.http` is deferred to the SEC-V2-01 companion task. No functional change — imports preserved, runtime behavior unchanged. `HttpParser.parseHeaders(InputStream, String)` from commons-httpclient 3.x has no direct equivalent in httpcomponents 4.x; the deferral is a behavior-level API rewrite, not a constant swap. CONTEXT.md locks this deferral. Refs #140 (SEC-03) Co-Authored-By: Claude Opus 4.7 (1M context) --- server/src/com/mirth/connect/server/userutil/HTTPUtil.java | 1 + 1 file changed, 1 insertion(+) diff --git a/server/src/com/mirth/connect/server/userutil/HTTPUtil.java b/server/src/com/mirth/connect/server/userutil/HTTPUtil.java index c03704bb7..a90f085ae 100644 --- a/server/src/com/mirth/connect/server/userutil/HTTPUtil.java +++ b/server/src/com/mirth/connect/server/userutil/HTTPUtil.java @@ -21,6 +21,7 @@ import javax.xml.parsers.ParserConfigurationException; import org.apache.commons.fileupload.FileUploadBase; +// TODO: migrate to org.apache.http; blocked on HttpParser equivalent (SEC-V2-01 companion) import org.apache.commons.httpclient.Header; import org.apache.commons.httpclient.HttpParser; import org.apache.commons.io.IOUtils; From 32e3d5ee7dd932b727fc44dd3a7e4fd5e794906c Mon Sep 17 00:00:00 2001 From: Noah Schatz Date: Wed, 13 May 2026 22:36:35 -0400 Subject: [PATCH 6/7] docs(140): disclose residual commons-httpclient classpath exposure in SECURITY.md Append a new "Known residual dependencies" section to SECURITY.md disclosing that `commons-httpclient-3.0.1.jar` remains on the server classpath for `WebDavConnection.java` runtime resolution (Apache Slide WebDAV). Tracked for removal under SEC-V2-01. This completes the user-visible disclosure pair for #140: the three constant-only callers (`HttpReceiver`, `MirthWebServer`, `ConnectServiceUtil`) have been migrated to `org.apache.http`; the remaining 3.x exposure is scoped to the WebDAV ingest path, which will be addressed in the SEC-V2-01 follow-up milestone. Closes #140 (SEC-03) Co-Authored-By: Claude Opus 4.7 (1M context) --- SECURITY.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 9790ef47d..db27106b5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -9,3 +9,7 @@ We support the current minor version in regards to security updates. Versions ar If this is a critical vulnerability that you would like to contact us confidentially, email us here: ossteam@innovarhealthcare.com + +## Known residual dependencies + +- `commons-httpclient-3.0.1.jar` remains on the server classpath for `WebDavConnection.java` runtime resolution (Apache Slide WebDAV). Tracked for removal under SEC-V2-01. No other callers reference 3.x APIs as of #140 merge. From 0b7e0aec1478964d1e4790701385f46656ca1cb5 Mon Sep 17 00:00:00 2001 From: Noah Schatz Date: Wed, 13 May 2026 23:00:04 -0400 Subject: [PATCH 7/7] docs(140): correct contradictory residual-CVE statement in SECURITY.md (WR-05) The original disclosure asserted 'No other callers reference 3.x APIs as of #140 merge,' but the same PR explicitly retained 3.x imports in both WebDavConnection.java (HttpURL / HttpsURL) and HTTPUtil.java (Header / HttpParser) with TODO markers tracking deferral. Replace the single-call-site disclosure with an accurate enumeration of both deferred call sites, the unmigrated CVEs in the retained jar, and the bounded-exposure statement. --- SECURITY.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index db27106b5..4c39669ef 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,4 +12,14 @@ ossteam@innovarhealthcare.com ## Known residual dependencies -- `commons-httpclient-3.0.1.jar` remains on the server classpath for `WebDavConnection.java` runtime resolution (Apache Slide WebDAV). Tracked for removal under SEC-V2-01. No other callers reference 3.x APIs as of #140 merge. +- `commons-httpclient-3.0.1.jar` remains on the server classpath for runtime + resolution of two deferred call sites: + - `WebDavConnection.java` (`HttpURL` / `HttpsURL` — blocked on Apache Slide + replacement; tracked under SEC-V2-01). + - `HTTPUtil.java` (`Header` / `HttpParser` — blocked on `HttpParser.parseHeaders` + equivalent in `org.apache.http`; tracked under SEC-V2-01 companion). + + All other constant-only callers (`HttpReceiver.java`, `MirthWebServer.java`, + `ConnectServiceUtil.java`) were migrated in #140. The jar carries unfixed + CVE-2012-5783, CVE-2014-3577, and CVE-2015-5262 (MITM / hostname-verification); + exposure is bounded to the two WebDAV/HTTP utility call sites above.