Web UI refuses to connect when sending certain cookies

[jamieburchell]

• I confirm that this is an issue rather than a question.

Bug report

I couldn't get the web UI to load when accessing port 8090. The browser appeared to spend ages trying to connect, before eventually giving up. Curiously, in an Incognito window, the web UI was accessible.

I looked at systemctl status of the Hyperion service and noticed warnings about invalid headers being sent. The headers contained large cookie payloads from the TVHeadend service I run on the same IP. Deleting those cookies solved the issue.

Question I guess is why does the web service for Hyperion seemingly choke on them

Jan 27 19:58:49 osmc hyperiond[1515]: Error : incorrect HTTP headers line : "5255Ewidth%25253Dn%2525253A33%255Eo%25253Aid%25253Dn%2525253A14%25255Ewidth%25253Dn%2525253A137%255Eo%25253Aid%25253Dn%2525253A15%25255Ewidth%25253Dn%2525253A137%255Eo%25253Aid%25253Dn%2525253A16%25255Ewidth%25253Dn%2525253A137%255Eo%25253Aid%25253Dn%2525253A17%25255Ewidth%25253Dn%2525253A137%5Esort%3Do%253Afield%253Ds%25253Astart_real%255Edirection%253Ds%25253AASC%5Efilters%3Do%253A; ys-api/dvr/entry/grid_finished=o%3Acolumns%3Da%253Ao%25253Aid%25253Ds%2525253Adetails%25255Ewidth%25253Dn%2525253A46%255Eo%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A27%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A202%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A202%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A202%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A202%255Eo%25253Aid%25253Dn%2525253A6%25255Ewidth%25253Dn%2525253A94%255Eo%25253Aid%25253Dn%2525253A7%25255Ewidth%25253Dn%2525253A94%255Eo%25253Aid%25253Dn%2525253A8%25255Ewidth%25253Dn%2525253A54%255Eo%25253Aid%25253Dn%2525253A9%25255Ewidth%25253Dn%2525253A54%255Eo%25253Aid%25253Dn%2525253A10%25255Ewidth%25253Dn%2525253A54%255Eo%25253Aid%25253Dn%2525253A11%25255Ewidth%25253Dn%2525253A54%255Eo%25253Aid%25253Dn%2525253A12%25255Ewidth%25253Dn%2525253A54%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A13%25255Ewidth%25253Dn%2525253A202%255Eo%25253Aid%25253Dn%2525253A14%25255Ewidth%25253Dn%2525253A202%255Eo%25253Aid%25253Dn%2525253A15%25255Ewidth%25253Dn%2525253A202%255Eo%25253Aid%25253Dn%2525253A16%25255Ewidth%25253Dn%2525253A202%5Esort%3Do%253Afield%253Ds%25253Astart_real%255Edirection%253Ds%25253ADESC%5Efilters%3Do%253A\r\n"

Steps to reproduce

Send large cookie payload such as those sent by TVHeadend

What is expected?

WebUI will load

What is actually happening?

WebUI never connects.

System

Hyperion Server:
- Build:             (HEAD detached at 2.0.16) (Paulchen-Panther-cb85d2d/a93d79b-1705568419)
- Build time:        Jan 18 2024 09:30:40
- Git Remote:        https://github.com/hyperion-project/hyperion.ng
- Version:           2.0.16
- UI Lang:           en (BrowserLang: en-GB)
- UI Access:         default
- Avail Screen Cap.: dispmanx,framebuffer,qt
- Avail Video  Cap.: v4l2
- Avail Audio  Cap.: audio
- Avail Services:    boblight,cec,effectengine,forwarder,flatbuffer,protobuffer,mDNS,SSDP,borderdetection
- Config path:       /home/osmc/.hyperion
- Database:          read/write
- Mode:              Non-GUI

Hyperion Server OS:
- Distribution:      Open Source Media Center
- Architecture:      arm
- CPU Model:         ARMv7 Processor rev 5 (v7l)
- CPU Type:          Raspberry Pi 2 Model B Rev 1.1
- CPU Revision:      a01041
- CPU Hardware:      BCM2835
- Kernel:            linux (4.19.122-2-osmc (WS: 32))
- Root/Admin:        false
- Qt Version:        5.11.3
- Python Version:    3.7.3
- Browser:           Mozilla/5.0 (iPhone; CPU iPhone OS 17_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/120.0.6099.119 Mobile/15E148 Safari/604.1

[Lord-Grey]

There seems to be traffic sent to Hyperion's port 8090 which is not for Hyperion.
That is likely to be cause by a misconfiguration of another component (e.g. TVHeadend).
This is not a Hyperion issue, as due to misconfiguration of another component Hyperion is not able to respond to teh valid service requests.
Suggest you clean up your system ad component configurations.

[jamieburchell]

@Lord-Grey I think you've misunderstood the issue a little. This is not a misconfiguration of another component, rather just how browsers work. Essentially Hyperion's web service hangs and produces those errors if the browser sends those cookies. Regardless of where those cookies are from originally (i.e. set by other services running on the same IP) I wouldn't expect the service to just hang. For example, other web services on the same IP don't have an issue receiving that cookie payload.

It's not a problem now I know what causes it, I can just remove the cookies. But IMO something is amiss with Hyperion's web service to cause it to choke when presented with valid cookies.

[Lord-Grey]

Can you tell me how to reproduce the cookie sending scenario?

[jamieburchell]

Can you tell me how to reproduce the cookie sending scenario?

Sure, basically need to send a cookie with a request to the web UI. I can repro this for example using Postman. Are you familiar with that tool?

Alternatively, you could add the cookie directly to the developer console in a browser.

The cookie is:

ys-api/dvr/entry/grid_upcoming=o%3Acolumns%3Da%253Ao%25253Aid%25253Ds%2525253Adetails%25255Ewidth%25253Dn%2525253A46%255Eo%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A79%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A76%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A164%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A6%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A7%25255Ewidth%25253Dn%2525253A134%255Eo%25253Aid%25253Dn%2525253A8%25255Ewidth%25253Dn%2525253A76%255Eo%25253Aid%25253Dn%2525253A9%25255Ewidth%25253Dn%2525253A42%255Eo%25253Aid%25253Dn%2525253A10%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A11%25255Ewidth%25253Dn%2525253A42%255Eo%25253Aid%25253Dn%2525253A12%25255Ewidth%25253Dn%2525253A42%255Eo%25253Aid%25253Dn%2525253A13%25255Ewidth%25253Dn%2525253A42%255Eo%25253Aid%25253Dn%2525253A14%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A15%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A16%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A17%25255Ewidth%25253Dn%2525253A164%5Esort%3Do%253Afield%253Ds%25253Astart_real%255Edirection%253Ds%25253AASC%5Efilters%3Do%253A; Path=/; Expires=Mon, 03 Feb 2025 19:41:36 GMT;

[maatthc]

I have a Heimdall page that has a link to Hyperion - both on the same server running on different ports. When I click on the Hyperion link, these are the cookies passed to it:
{ "name": "Cookie", "value": "username-tv-home-8888=\"2|1:0|10:1709012260|21:username-tv-home-8888|200:eyJ1c2VybmFtZSI6ICJkMDVhNmEzZjUwNzI0ZWI1OGQ3NWRiNzhmNTFiMWFmMSIsICJuYW1lIjogIkFub255bW91cyBMeXNpdGhlYSIsICJkaXNwbGF5X25hbWUiOiAiQW5vbnltb3VzIEx5c2l0aGVhIiwgImluaXRpYWxzIjogIkFMIiwgImNvbG9yIjogbnVsbH0=|4adc7bde79890b5fb66554eafdedaa0ac9fa54b40ec3354c34cd7c59dc24692d\"; Jackett=CfDJ8HjRJ5FJQRxNgmki4Du0IqSr9Mc01g7QfzKxdKVyPICaHE2BpWvwbXTuJj1EL1nk_nnO_uIR5laLOIJxsOYKpuMi61Teuhoz-7iLY5prCqEYMlYSo2iLJ6hiJzzZvqD3gRtU155MIokT4Ctr0k-p0Vps55QVdTa5gTfeAor813RJFVOGxZchqVGT6WA7gI5ny7rimOmQRXNZ9D_ufpy4P9I5CeCBYEOm2cqhts9v4lmSYPyNj3CXEM3WGx4QiU-1Xx9NRAVbiHQW9nh7gqiKUgkuaU-uMMr0T8D6ljyx7cShIZ1oTq5EWSfPjOMn6yp3Fwhm5yBCMJMTOVDMoFkoXNs; PHPSESSID=6140ei3n414n176v8sl9ichmgp; _xsrf=2|f78a70ba|853b532fa1c5d0f09e9f8ed0ccc50cad|1705804262; XSRF-TOKEN=eyJpdiI6ImtGbDNsS2NycWNScWViY3dXU0NvbEE9PSIsInZhbHVlIjoiWFNIWUoyRldrSDN3dGpYaWNwY1N0SzdJcVZSeVN2UDhrZmFNY09zakFUYmI4SVljNWRnN1Qwc3hTSjB0OXk3cGtBOGNNdTdRMUlyaU5ubytXOS96SnROTWdKbW40VzVEUGtldDAySm1CMW02Ni8veWZML28wOHdaYlZPVG5pdWsiLCJtYWMiOiIwYTU5NWRhNWI2ZDUzYTczYmU3NWQ4OWVkNWM1NTE0OTJkYzcyNWU3MjNkOWUyZGViZDA4NTljYjM3Y2MwYjM2IiwidGFnIjoiIn0%3D; heimdall_session=eyJpdiI6Im5zTDVBK3c1N2tsYkNhN2tqcnZOaHc9PSIsInZhbHVlIjoieFJrYVdWNzcwdUNBNnV4OGdBNC9wS2JRcUIvUnl5aHpMcTZjcWFCUFJuZDZFUjJqUk5jZndrU1JERG1SY0xKVkk5V3NKTG5xaklsRWM2UnFKRWswOTJhVFU2R0ZkT0Z2MWkvMXRTc1BIZWFqNG9kcWwrTjZVdW9GVEJFeU9VTWgiLCJtYWMiOiJkM2RmNTFiN2VjNTljYmZiMTVmMWRhZGY0NWM2YjA0M2I5ODY2ZTBiOWFkYTRmODNmOGMyYmUzMDRlY2RjYTFlIiwidGFnIjoiIn0%3D"},

I guess that due the size of the HEADERS, Hyperion fails with this error:

Error : incorrect HTTP headers line : "2IiwidGFnIjoiIn0%3D; heimdall_session=eyJpdiI6Im5zTDVBK3c1N2tsYkNhN2tqcnZOaHc9PSIsInZhbHVlIjoieFJrYVdWNzcwdUNBNnV4OGdBNC9wS2JRcUIvUnl5aHpMcTZjcWFCUFJuZDZFUjJqUk5jZndrU1JERG1SY0xKVkk5V3NKTG5xaklsRWM2UnFKRWswOTJhVFU2R0ZkT0Z2MWkvMXRTc1BIZWFqNG9kcWwrTjZVdW9GVEJFeU9VTWgiLCJtYWMiOiJkM2RmNTFiN2VjNTljYmZiMTVmMWRhZGY0NWM2YjA0M2I5ODY2ZTBiOWFkYTRmODNmOGMyYmUzMDRlY2RjYTFlIiwidGFnIjoiIn0%3D\r\n"

[Lord-Grey]

@jamieburchell / @maatthc Is there a chance that you provide me a curl sample how to test this scenario, please?
Seems I do not have enough background setting the right value in my requests to reproduce the same. :(

[jamieburchell]

@Lord-Grey I can't get a cURL version to work at the moment. I can reproduce it by manually adding the cookie in Chrome's dev tools although it's slightly tricky to do that because Hyperion is making a call every few seconds to cfg_jsonserver

[Lord-Grey]

Could you do me a screenshot where in the dev tools you add it?

[jamieburchell]

Could you do me a screenshot where in the dev tools you add it?

I was just making a screencast :)

https://www.dropbox.com/scl/fi/l6b97gp99yhsdthwci9s9/hyperion-webui-hang.mp4?rlkey=2av3ac6su72jeo08e14i74lbc&dl=0

[Lord-Grey]

Thank you for your support!
I will have a look into it during the week.

[jamieburchell]

Bizarrely, the same request in cURL does not trigger the issue. Copied below for reference.

curl 'http://localhost:8090/' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
  -H 'Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,la;q=0.7' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Cookie: ys-api/dvr/entry/grid_upcoming=o%3Acolumns%3Da%253Ao%25253Aid%25253Ds%2525253Adetails%25255Ewidth%25253Dn%2525253A46%255Eo%25253Aid%25253Dn%2525253A1%25255Ewidth%25253Dn%2525253A79%255Eo%25253Aid%25253Dn%2525253A2%25255Ewidth%25253Dn%2525253A76%255Eo%25253Aid%25253Dn%2525253A3%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A4%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A5%25255Ewidth%25253Dn%2525253A164%25255Ehidden%25253Db%2525253A1%255Eo%25253Aid%25253Dn%2525253A6%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A7%25255Ewidth%25253Dn%2525253A134%255Eo%25253Aid%25253Dn%2525253A8%25255Ewidth%25253Dn%2525253A76%255Eo%25253Aid%25253Dn%2525253A9%25255Ewidth%25253Dn%2525253A42%255Eo%25253Aid%25253Dn%2525253A10%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A11%25255Ewidth%25253Dn%2525253A42%255Eo%25253Aid%25253Dn%2525253A12%25255Ewidth%25253Dn%2525253A42%255Eo%25253Aid%25253Dn%2525253A13%25255Ewidth%25253Dn%2525253A42%255Eo%25253Aid%25253Dn%2525253A14%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A15%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A16%25255Ewidth%25253Dn%2525253A164%255Eo%25253Aid%25253Dn%2525253A17%25255Ewidth%25253Dn%2525253A164%5Esort%3Do%253Afield%253Ds%25253Astart_real%255Edirection%253Ds%25253AASC%5Efilters%3Do%253A' \
  -H 'Pragma: no-cache' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36'

[jamieburchell]

I think JavaScript could be playing a part in this issue - specifically the frequent ajax requests. When I disable JavaScript in the dev console settings and refresh, the page does not hang. When I re-enable it and refresh, the page hangs. I guess that explains why the cURL request is unaffected.

[jamieburchell]

Some other occurrences of this issue in the wild.

[Lord-Grey]

I was just making a screencast :)

That you that was really helpful.
I have now seen Cookies coming in…. :)

Unfortunately, I was not able to reproduce the issue.
I suspect that there is some issue before and we see the side-effect.

@jamieburchell Would it be ok that I provide you with a special build which traces the messages and procesing within Hyperion in your environment?
You would require an armv7 build, if I am not mistaken?…

Alternatively, I could give you some code in case you would like to build yourself.

[jamieburchell]

@jamieburchell Would it be ok that I provide you with a special build which traces the messages and procesing within Hyperion in your environment?

Sure! Happy to help. I usually install an armv7 deb file. If you need me to install another way I might need some instructions. Not sure how fast building from source would be on the Pi...

[Lord-Grey]

@jamieburchell Thanks for your support!
I pinged you the instruction to your user in the Hyperion forum.
If you are on the Hyperion Discord, you could also provide the feedback or questions contacting me privately.