search

microsoft / iis-docker

Dockerfile for IIS
https://hub.docker.com/r/microsoft/iis/
MIT License
288 stars 128 forks source link

Container does not start if certain characters are used in environment variables #205

Open erenes opened 5 months ago

erenes commented 5 months ago

Steps to reproduce: docker run -p8000:80 -e TEST="%18" mcr.microsoft.com/windows/servercore/iis

Expected result: The container starts and has an environment variable "TEST" with value "%18"

Actual result: The container stops after showing the following output:

Stopping service 'w3svc'

 Service 'w3svc' has been stopped

APPCMD failed with error code -1072894421

Failed to update IIS configuration

Diagnosis The way environment variables are provided to the application running in the container is by adding them to the applicationHost config using appcmd.exe as following: C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/applicationPools /+"[name='DefaultAppPool'].environmentVariables.[name='TEST',value='%18']" /commit:apphost

Somewhere the value %18 is interpreted as escaped character 18, which is a control character that is not valid in XML. When using %64 for example, we get 'd' as the value for the environment variable, which is arguably worse than the container crashing.

Suggested fix The decoding happens in appcmd.exe as I have been able to reproduce the same problem locally when using the appcmd command in a local environment, it may or may not be intended behavior. The process that sends the environment variable commands to appcmd however is the iis servicemonitor, and it could escape the % character as %25 (the hex code for %).

I am not sure about the side effects of such a fix, but have been running it in production for almost four years now without issues,

PR available: https://github.com/microsoft/IIS.ServiceMonitor/pull/72

LeVraiSylvain commented 5 months ago

Good Luck

They closed all open issues last week...

image

erenes commented 5 months ago

I am aware, my original report #188 was also closed last week. When I asked for the details on the fix (because it was closed as "completed") they suggested to open a new issue so it could be prioritized.

In the end I've been working around this issue since 2020, it would be great if it could be fixed properly. Or at least people who google the error message can end up here and find what is going on without spending a week debugging it.

John-Hart commented 4 months ago

Thanks for opening the new issue. We'll look at this as soon as we can