Closed robcarvaj closed 1 month ago
Seems weird. Can you share the configuration of one of the monitors for which this is happening? I can't reproduce this on my end.
For future-frank, this is how to get headers from a request:
$ curl --include --no-progress-meter --head -X GET https://nav.tum.de
Sure,
Here's the configuration for the monitor:
Monitor Type: HTTP(s) Friendly Name: test URL: https://www.accesoremoto.movistar.es/Admin/Login.aspx?chcode=5450 Heartbeat Interval (Check every 60 seconds):60 Retries: 2 Heartbeat Retry Interval (Retry every 60 seconds): 60 Request Timeout (Timeout after 48 seconds): 48 Resend Notification if Down X times consecutively (Resend disabled): 0
Advanced Certificate Expiry Notification (unchecked) Ignore TLS/SSL error for HTTPS websites: (unchecked) Upside Down Mode: (unchecked) Flip the status upside down. If the service is reachable, it is DOWN. (unchecked) Max. Redirects:10 Accepted Status Codes: 200-299 Monitor Group: None
@CommanderStorm I am also having this issue, any update on a workaround or fix?
Sorry, forgot to comment: First off all, fix your server and make sure that it is spec-compliant. Whitespace after headers is simply not allowed.
You are able to get around this by adding the --insecure-http-parser
flag to node (for docker, see NODE_OPTIONS
).
But please, fix your services.
From the node
docs:
--insecure-http-parser
Added in: node v13.4.0, node v12.15.0, node v10.19.0 Enable leniency flags on the HTTP parser. This may allow interoperability with non-conformant HTTP implementations.When enabled, the parser will accept the following:
- Invalid HTTP headers values.
- Invalid HTTP versions.
- Allow message containing both
Transfer-Encoding
andContent-Length
headers.- Allow extra data after message when
Connection: close
is present.- Allow extra transfer encodings after chunked has been provided.
- Allow
\n
to be used as token separator instead of\r\n
.- Allow
\r\n
not to be provided after a chunk.- Allow spaces to be present after a chunk size and before
\r\n
.All the above will expose your application to request smuggling or poisoning attack. Avoid using this option.
Given that this is is alerting to a valid issue, I think closing as https://github.com/louislam/uptime-kuma/labels/wontfix is the best option.
@CommanderStorm
Sorry, forgot to comment: First off all, fix your server and make sure that it is spec-compliant. Whitespace after headers is simply not allowed.
Which whitespace are you referring to here? can you elaborate?
For the site mentioned above, that would be
set-cookie: TestCookie=true; path=/; secure; HttpOnly X-Frame-Options: DENY
=> these are 2 headers mashed together and separeted by 3 whitespaces. They should be separated instead via a \r\n
Very useful, thanks! From my curl tests using the command you posted on your previous comment it doesn't show like that.
Can you let me know which command did you use to test?
Thanks!
On Tue, Aug 13, 2024, 4:58β―PM Frank Elsinga @.***> wrote:
For the site mentioned above, that would be set-cookie: TestCookie=true; path=/; secure; HttpOnly X-Frame-Options: DENY
=> these are 2 headers mashed together and separeted by 3 whitespaces. They should be separated instead via a \r\n
β Reply to this email directly, view it on GitHub https://github.com/louislam/uptime-kuma/issues/4899#issuecomment-2287336200, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC2BSPJLHPSHC55SIZCQDXLZRKFPZAVCNFSM6AAAAABKIF3NYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBXGMZTMMRQGA . You are receiving this because you commented.Message ID: @.***>
No, I used the command I noted above on the url repored after that.. Nothing special here, just carefull reading through every line of the output..
π I have found these related issues/pull requests
I have not found any similar issues.
π‘οΈ Security Policy
Description
I use uptime kuma in docker. Recently I updated from 1.23.11 to 1.23.13 and after the upgrade, I started to get the following error on multiple https monitors: Parse Error: Unexpected whitespace after header value
π Reproduction steps
Issue was encounter after upgrading to the latest version following: https://github.com/louislam/uptime-kuma/wiki/%F0%9F%86%99-How-to-Update
Commands:
docker pull louislam/uptime-kuma:1 docker stop uptime-kuma docker rm uptime-kuma
Default
docker run -d --restart=always -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1 encountered
π Expected behavior
Nothing else has changed in my environment besides the upgrade to the latest version. If I roll back to version 1.23.11 everything starts working.
π Actual Behavior
Error Parse Error: Unexpected whitespace after header value in multiple HTTP monitors. (Not all of them) It seems to be random.
π» Uptime-Kuma Version
1.23.13
π» Operating System and Arch
Ubuntu 20.04.6 LTS
π Browser
Google Chrome 126.0.6478.127
π₯οΈ Deployment Environment
π Relevant log output
No response