Parse Error: Unexpected whitespace after header value

[robcarvaj]

📑 I have found these related issues/pull requests

I have not found any similar issues.

🛡️ Security Policy

• [X] I agree to have read this project Security Policy

Description

I use uptime kuma in docker. Recently I updated from 1.23.11 to 1.23.13 and after the upgrade, I started to get the following error on multiple https monitors: Parse Error: Unexpected whitespace after header value

👟 Reproduction steps

Issue was encounter after upgrading to the latest version following: https://github.com/louislam/uptime-kuma/wiki/%F0%9F%86%99-How-to-Update

Commands:

docker pull louislam/uptime-kuma:1 docker stop uptime-kuma docker rm uptime-kuma

Default

docker run -d --restart=always -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1 encountered

👀 Expected behavior

Nothing else has changed in my environment besides the upgrade to the latest version. If I roll back to version 1.23.11 everything starts working.

😓 Actual Behavior

Error Parse Error: Unexpected whitespace after header value in multiple HTTP monitors. (Not all of them) It seems to be random.

🐻 Uptime-Kuma Version

1.23.13

💻 Operating System and Arch

Ubuntu 20.04.6 LTS

🌐 Browser

Google Chrome 126.0.6478.127

🖥️ Deployment Environment

• Runtime: Docker version 24.0.7, build 24.0.7-0ubuntu2~20.04.1. I'm using Linode.
• Database: sqlite/embedded
• Filesystem used to store the database on: /var/lib/docker/volumes/uptime-kuma/_data
• number of monitors: I have multiple environments some with less than 20 monitors and some with 100+ and it's happening on all of them.

📝 Relevant log output

No response

[CommanderStorm]

Seems weird. Can you share the configuration of one of the monitors for which this is happening? I can't reproduce this on my end.

For future-frank, this is how to get headers from a request:

$ curl --include --no-progress-meter --head -X GET https://nav.tum.de

[robcarvaj]

Sure,

Here's the configuration for the monitor:

Monitor Type: HTTP(s) Friendly Name: test URL: https://www.accesoremoto.movistar.es/Admin/Login.aspx?chcode=5450 Heartbeat Interval (Check every 60 seconds):60 Retries: 2 Heartbeat Retry Interval (Retry every 60 seconds): 60 Request Timeout (Timeout after 48 seconds): 48 Resend Notification if Down X times consecutively (Resend disabled): 0

Advanced Certificate Expiry Notification (unchecked) Ignore TLS/SSL error for HTTPS websites: (unchecked) Upside Down Mode: (unchecked) Flip the status upside down. If the service is reachable, it is DOWN. (unchecked) Max. Redirects:10 Accepted Status Codes: 200-299 Monitor Group: None

[dxiri]

@CommanderStorm I am also having this issue, any update on a workaround or fix?

[CommanderStorm]

Sorry, forgot to comment: First off all, fix your server and make sure that it is spec-compliant. Whitespace after headers is simply not allowed.

You are able to get around this by adding the --insecure-http-parser flag to node (for docker, see NODE_OPTIONS). But please, fix your services.

From the node docs:

--insecure-http-parser Added in: node v13.4.0, node v12.15.0, node v10.19.0 Enable leniency flags on the HTTP parser. This may allow interoperability with non-conformant HTTP implementations.

When enabled, the parser will accept the following:

• Invalid HTTP headers values.
• Invalid HTTP versions.
• Allow message containing both Transfer-Encoding and Content-Length headers.
• Allow extra data after message when Connection: close is present.
• Allow extra transfer encodings after chunked has been provided.
• Allow \n to be used as token separator instead of \r\n.
• Allow \r\n not to be provided after a chunk.
• Allow spaces to be present after a chunk size and before \r\n.

All the above will expose your application to request smuggling or poisoning attack. Avoid using this option.

Given that this is is alerting to a valid issue, I think closing as https://github.com/louislam/uptime-kuma/labels/wontfix is the best option.

[dxiri]

@CommanderStorm

Sorry, forgot to comment: First off all, fix your server and make sure that it is spec-compliant. Whitespace after headers is simply not allowed.

Which whitespace are you referring to here? can you elaborate?

[CommanderStorm]

For the site mentioned above, that would be set-cookie: TestCookie=true; path=/; secure; HttpOnly X-Frame-Options: DENY

=> these are 2 headers mashed together and separeted by 3 whitespaces. They should be separated instead via a \r\n

[dxiri]

Very useful, thanks! From my curl tests using the command you posted on your previous comment it doesn't show like that.

Can you let me know which command did you use to test?

Thanks!

On Tue, Aug 13, 2024, 4:58 PM Frank Elsinga @.***> wrote:

For the site mentioned above, that would be set-cookie: TestCookie=true; path=/; secure; HttpOnly X-Frame-Options: DENY

=> these are 2 headers mashed together and separeted by 3 whitespaces. They should be separated instead via a \r\n

— Reply to this email directly, view it on GitHub https://github.com/louislam/uptime-kuma/issues/4899#issuecomment-2287336200, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC2BSPJLHPSHC55SIZCQDXLZRKFPZAVCNFSM6AAAAABKIF3NYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBXGMZTMMRQGA . You are receiving this because you commented.Message ID: @.***>

[CommanderStorm]

No, I used the command I noted above on the url repored after that.. Nothing special here, just carefull reading through every line of the output..