From dbbb2b441d4022c2f04d7e09a8c51594426a2380 Mon Sep 17 00:00:00 2001
From: matlec <mathieu.lechat@sensiolabs.com>
Date: Wed, 30 Jul 2025 16:29:38 +0200
Subject: [PATCH] [DependencyInjection] Escape parameters before resolving env
 placeholders

---
 .../DependencyInjection/ContainerBuilder.php     | 16 +++++++++++++++-
 .../Tests/ContainerBuilderTest.php               |  3 ++-
 .../Translation/Tests/TranslatorCacheTest.php    |  4 ++--
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/Symfony/Component/DependencyInjection/ContainerBuilder.php b/src/Symfony/Component/DependencyInjection/ContainerBuilder.php
index 8fc3645590d3..fdbd290baf88 100644
--- a/src/Symfony/Component/DependencyInjection/ContainerBuilder.php
+++ b/src/Symfony/Component/DependencyInjection/ContainerBuilder.php
@@ -777,7 +777,7 @@ public function compile(bool $resolveEnvPlaceholders = false)
 
         if ($bag instanceof EnvPlaceholderParameterBag) {
             if ($resolveEnvPlaceholders) {
-                $this->parameterBag = new ParameterBag($this->resolveEnvPlaceholders($bag->all(), true));
+                $this->parameterBag = new ParameterBag($this->resolveEnvPlaceholders($this->escapeParameters($bag->all()), true));
             }
 
             $this->envPlaceholders = $bag->getEnvPlaceholders();
@@ -1728,4 +1728,18 @@ private function inVendors(string $path): bool
 
         return $this->pathsInVendor[$path] = false;
     }
+
+    private function escapeParameters(array $parameters): array
+    {
+        $params = [];
+        foreach ($parameters as $k => $v) {
+            $params[$k] = match (true) {
+                \is_array($v) => $this->escapeParameters($v),
+                \is_string($v) => str_replace('%', '%%', $v),
+                default => $v,
+            };
+        }
+
+        return $params;
+    }
 }
diff --git a/src/Symfony/Component/DependencyInjection/Tests/ContainerBuilderTest.php b/src/Symfony/Component/DependencyInjection/Tests/ContainerBuilderTest.php
index b8e4bd0163d1..a04f54e7a9e4 100644
--- a/src/Symfony/Component/DependencyInjection/Tests/ContainerBuilderTest.php
+++ b/src/Symfony/Component/DependencyInjection/Tests/ContainerBuilderTest.php
@@ -884,6 +884,7 @@ public function testCompileWithResolveEnv()
         $container->setParameter('bar', '%% %env(DUMMY_ENV_VAR)% %env(DUMMY_SERVER_VAR)% %env(HTTP_DUMMY_VAR)%');
         $container->setParameter('foo', '%env(FOO)%');
         $container->setParameter('baz', '%foo%');
+        $container->setParameter('qux', '%%quux%%');
         $container->setParameter('env(HTTP_DUMMY_VAR)', '123');
         $container->register('teatime', 'stdClass')
             ->setProperty('foo', '%env(DUMMY_ENV_VAR)%')
@@ -1128,7 +1129,7 @@ public function testAddObjectResource()
 
         $this->assertCount(1, $resources);
 
-        /** @var \Symfony\Component\Config\Resource\FileResource $resource */
+        /** @var FileResource $resource */
         $resource = end($resources);
 
         $this->assertInstanceOf(FileResource::class, $resource);
diff --git a/src/Symfony/Component/Translation/Tests/TranslatorCacheTest.php b/src/Symfony/Component/Translation/Tests/TranslatorCacheTest.php
index 990caee16690..4199f596771b 100644
--- a/src/Symfony/Component/Translation/Tests/TranslatorCacheTest.php
+++ b/src/Symfony/Component/Translation/Tests/TranslatorCacheTest.php
@@ -46,9 +46,9 @@ protected function deleteTmpDir()
                 continue;
             }
             if ($path->isDir()) {
-                rmdir($path->__toString());
+                @rmdir($path->__toString());
             } else {
-                unlink($path->__toString());
+                @unlink($path->__toString());
             }
         }
         rmdir($this->tmpDir);