fatal error when using database password with two %

[fritzmg]

Reproduction

1. Set the password of your MySQL database user to asd%asd%asd for example.
2. Install the Contao Managed Edition and open the Install Tool
3. Fill in the credentials of your database user and save.

The following fatal error will occur:

Fatal error: Uncaught Symfony\Component\DependencyInjection\Exception\ParameterNotFoundException: You have requested a non-existent parameter "asd". 
in …\vendor\symfony\symfony\src\Symfony\Component\DependencyInjection\ParameterBag\ParameterBag.php:100 Stack trace:
#0 …\vendor\symfony\symfony\src\Symfony\Component\DependencyInjection\ParameterBag\EnvPlaceholderParameterBag.php(56): Symfony\Component\DependencyInjection\ParameterBag\ParameterBag->get('asd') #1 …\vendor\symfony\symfony\src\Symfony\Component\DependencyInjection\ParameterBag\ParameterBag.php(232): Symfony\Component\DependencyInjection\ParameterBag\EnvPlaceholderParameterBag->get('asd')
#2 [internal function]: Symfony\Component\DependencyInjection\ParameterBag\ParameterBag->Symfony\Component\DependencyInjection\ParameterBag\{closure}(Array)
#3 …\vendor\symfony\symfony\src\Symfony\Component\DependencyInjection\ParameterBag\ParameterBag.php(242): preg_replace_callback('/%%|%([^%\\s]+ 
in …\vendor\symfony\symfony\src\Symfony\Component\DependencyInjection\ParameterBag\ParameterBag.php on line 100

Cause

The Install Tool creates the following parameters.yml:

parameters:
    database_password: asd%asd%asd

If any of your Symfony parameters contain two %, you need to escape them. This will work:

parameters:
    database_password: asd%%asd%%asd

According to https://stackoverflow.com/a/27274304/374996 using double quotes should also work, but I cannot confirm that. The error still occurs when using "asd%asd%asd".

[Toflar]

It should be single quoted. So

database_password: 'asd%asd%asd'

can you check that, pls? :) Afaik unquoted strings will be (or are already?) deprecated anyway.

[fritzmg]

Afaik unquoted strings will be (or are already?) deprecated anyway.

Hmm, this article only says

In Symfony 3.1, the usage of % at the beginning of an unquoted string is deprecated and it will be removed in Symfony 4.0.

But in this case, the % is not at the beginning of the unquoted string.

Using database_password: 'asd%asd%asd' also does not work. Another user confirmed that here also.

[dmolineus]

Every "%" has to be escaped with a second one no matter if it's at the beginning of not. See http://symfony.com/doc/current/service_container/parameters.html#parameters-in-configuration-files

"If you use a string that starts with @ or has % anywhere in it, you need to escape it by adding another @ or %:"

[leofeyer]

Fixed in 9bd4ea0c3fff9010296befb9a7fdc42719c51a96.

[Toflar]

Same should be done for @!

[leofeyer]

I wonder why the Sf parameter dumper does not do this by default? It also does not add any quotes.

[leofeyer]

Strings containing any of the following characters must be quoted. Although you can use double quotes, for these characters it is more convenient to use single quotes, which avoids having to escape any backslash \:

• :, {, }, [, ], ,, &, *, #, ?, |, -, <, >, =, !, %, @, `````

If the string contains any of the following control characters, it must be escaped with double quotes:

• \0, \x01, \x02, \x03, \x04, \x05, \x06, \a, \b, \t, \n, \v, \f, \r, \x0e, \x0f, \x10, \x11, \x12, \x13, \x14, \x15, \x16, \x17, \x18, \x19, \x1a, \e, \x1c, \x1d, \x1e, \x1f, \N, \_, \L, \P

Are we supposed to check this ourselves?

[Toflar]

Where did you get that info from?

[leofeyer]

https://symfony.com/doc/current/components/yaml/yaml_format.html#strings

[leofeyer]

There is an Escaper class, which however does not handle % and @.

[Toflar]

That should be done automatically when you use https://github.com/symfony/symfony/blob/c5cbc83a59eb218d720f31b0c5263e93dbf93a45/src/Symfony/Component/Yaml/Inline.php#L106

[leofeyer]

https://github.com/symfony/symfony/issues/23474

[stof]

The escaping of % by doubling them has nothing to do with the YAML component. It is not a YAML escaping. It is a Symfony DI escaping (because % is used there to represent the usage of parameters). If you dump a YAML file which will be parse to configure the DI component, you need to account for several escaping: the content sent to the YAML dumper needs to contain the necessary DI escaping (the YAML dumper won't do it, as it knows nothing about DI).

[stof]

Btw, the YAML way of escaping the % at the beginning of a value is to quote the value. But this won't escape things for DI at all, as the YAML parsing will still give you a single %

[leofeyer]

Thanks @stof for shedding some light on this.

[leofeyer]

Fixed in 263af555f4702487feebe0112eb3d52f4793d843 now.

[Toflar]

Thanks @stof! Makes sense! I still think the fix is wrong, though :-) There's a DependencyInjection/Dumper/YamlDumper which handles escaping itself: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/DependencyInjection/Dumper/YamlDumper.php#L342

[stof]

@Toflar you could use this dumper to dump a ContainerBuilder in which you would have added the parameters. But I'm not sure it would work that well.

Btw, inside a parameter, you don't need to double the initial @ (it has a special meaning only in arguments in the YAML format, not in parameters)

[Toflar]

Ah true, thanks for your comments - highly appreciated :)

[leofeyer]

Btw, inside a parameter, you don't need to double the initial @

Removed in 7ce8feb6a9b9d416e4ccfe7556dd5f73f55e5437.