Shopware and the percent sign

Today everyone should use secure passwords. A secure password consists of chars, digits and special chars like the % (percentage sign). But not with Shopware 5. If you use the percentage sign with your database password a strange error occours:

PHP Fatal error:  Uncaught
Symfony\\Component\\DependencyInjection\\Exception\\ParameterNotFoundException:
The parameter "shopware.db" has a dependency on a non-existent parameter "y".
Did you mean one of these: "shopware.bundle.content_type.types",
"shopware.filesystem", "shopware.filesystem.private",
"shopware.filesystem.private.type", "shopware.filesystem.private.config",
"shopware.filesystem.private.config.root", "shopware.filesystem.public",
"shopware.filesystem.public.type", "shopware.filesystem.public.config",
"shopware.filesystem.public.config.root",
"shopware.filesystem.public.config.url", "shopware.cdn.strategy",
"shopware.cdn.adapters.local.type", "shopware.cdn.adapters.ftp.type",
"shopware.cdn.adapters.s3.type", "shopware.cdn.adapters.s3.credentials.key",
"shopware.cdn.adapters.gcp.type", "shopware.cdn.adapters.gcp.keyFilePath",
"shopware.es.dynamic_mapping_enabled", "shopware.plugin_directories.Community",
"shopware.session.cookie_httponly", "shopware.session.gc_probability",
"shopware.phpsettings.display_errors", "sh in
/home/shopware/public_html/vendor/symfony/dependency-injection/ParameterBag/ParameterBag.php on line 102

It took a while until I discovered that the culprit is the password. It contains a '%' which triggers a replacement feature of shopware. This is really bad, because there is no difference in using single or double quotes for the password. It seems that the password runs through the ParametersBag Class to do fancy shit with replacements.

Shopware decided to disable bugreporting via github, so i report this bug here, for future references :)

posted on Thu, 20 May 2021 by rokku; last modified Wed, 19 June 2024