This repository was archived by the owner on Nov 11, 2025. It is now read-only.
This repository was archived by the owner on Nov 11, 2025. It is now read-only.
Special Characters in search show error and dump .ENV file to Browser #117
Description
so in the search bar, or in the Search terms: of Detailed Search if you include any of the following characters in your search
" or { or }
you get a error
in this example i search for " and i am redirected to the url:
http://127.0.0.1/search?query=%22&category=any&type=all&order_by=newest
with the following
/var/www/eckmar/vendor/elasticsearch/elasticsearch/src/Elasticsearch/Connections/Connection.php
$exception = $this->tryDeserialize400Error($response);
if (array_search($response['status'], $ignore) !== false) {
return;
}
if ($statusCode === 400 && strpos($responseBody, "AlreadyExpiredException") !== false) {
$exception = new AlreadyExpiredException($responseBody, $statusCode);
} elseif ($statusCode === 403) {
$exception = new Forbidden403Exception($responseBody, $statusCode);
} elseif ($statusCode === 404) {
$exception = new Missing404Exception($responseBody, $statusCode);
} elseif ($statusCode === 409) {
$exception = new Conflict409Exception($responseBody, $statusCode);
} elseif ($statusCode === 400 && strpos($responseBody, 'script_lang not supported') !== false) {
$exception = new ScriptLangNotSupportedException($responseBody. $statusCode);
} elseif ($statusCode === 408) {
$exception = new RequestTimeout408Exception($responseBody, $statusCode);
} else {
$exception = new BadRequest400Exception($responseBody, $statusCode);
}
$this->logRequestFail(
$request['http_method'],
$response['effective_url'],
$request['body'],
$request['headers'],
$response['status'],
$response['body'],
$response['transfer_stats']['total_time'],
$exception
);
throw $exception;
}
/**
* @param $request
* @param $response
* @param $ignore
Arguments
"{"error":{"root_cause":[{"type":"query_parsing_exception","reason":"Failed to parse query [*\"*]","index":"marketplace","line":1,"col":58}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"marketplace","node":"dELvXojzTsWKXtVhGARHrA","reason":{"type":"query_parsing_exception","reason":"Failed to parse query [*\"*]","index":"marketplace","line":1,"col":58,"caused_by":{"type":"parse_exception","reason":"Cannot parse '*\"*': Lexical error at line 1, column 4. Encountered: <EOF> after : \"\\\"*\"","caused_by":{"type":"token_mgr_error","reason":"Lexical error at line 1, column 4. Encountered: <EOF>
then my Whole .env file is displayed. it seems this is done by the Whoops PrettyPageHandler.php
in the code i found that it dumps the following on the page
"tables" => [
"GET Data" => $this->masked($_GET, '_GET'),
"POST Data" => $this->masked($_POST, '_POST'),
"Files" => isset($_FILES) ? $this->masked($_FILES, '_FILES') : [],
"Cookies" => $this->masked($_COOKIE, '_COOKIE'),
"Session" => isset($_SESSION) ? $this->masked($_SESSION, '_SESSION') : [],
"Server/Request Data" => $this->masked($_SERVER, '_SERVER'),
"Environment Variables" => $this->masked($_ENV, '_ENV'),
],
i think its an issue with sanitizing but im not sure? can anyone shed some light please.