[5.x]: Database Backup (Postgres) fails if password contains special characters.

[FabianRutishauser]

What happened?

Description

When generating a database backup from the ui and the CRAFT_DB_PASSWORD is set to a string containing "!" (exlamation mark) or "`" (backtick), then the backup (in the admin ui) fails. In the logs we can find the reason:

2025-04-23 12:34:00 [web.ERROR] [yii\base\Exception] Could not create backup: The shell command "PGPASSWORD="password-containing-backtick-or-!-somewhere" pg_dump '--dbname'='db-name' '--host'='host' '--port'='5432' '--username'='user' '--if-exists' '--clean' '--no-owner' '--no-privileges' '--no-acl' '--file'='filepath' '--schema'='public' '--exclude-table-data' 'public.assetindexdata' '--exclude-table-data' 'public.cache' '--exclude-table-data' 'public.imagetransformindex' '--exclude-table-data' 'public.resourcepaths' '--exclude-table-data' 'public.phpsessions' '--exclude-table-data' 'public.sessions'" failed with exit code 2: sh: 1: Syntax error: EOF in backquote substitution {"trace":["#0 [internal function]: craft\\controllers\\UtilitiesController->actionDbBackupPerformAction()","#1 /home/site/wwwroot/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)","#2 /home/site/wwwroot/vendor/yiisoft/yii2/base/Controller.php(178): yii\\base\\InlineAction->runWithParams(Array)","#3 /home/site/wwwroot/vendor/yiisoft/yii2/base/Module.php(552): yii\\base\\Controller->runAction('db-backup-perfo...', Array)","#4 /home/site/wwwroot/vendor/craftcms/cms/src/web/Application.php(361): yii\\base\\Module->runAction('utilities/db-ba...', Array)","#5 /home/site/wwwroot/vendor/craftcms/cms/src/web/Application.php(660): craft\\web\\Application->runAction('utilities/db-ba...', Array)","#6 /home/site/wwwroot/vendor/craftcms/cms/src/web/Application.php(323): craft\\web\\Application->_processActionRequest(Object(craft\\web\\Request))","#7 /home/site/wwwroot/vendor/yiisoft/yii2/base/Application.php(384): craft\\web\\Application->handleRequest(Object(craft\\web\\Request))","#8 /home/site/wwwroot/web/index.php(12): yii\\base\\Application->run()","#9 {main}"],"memory":2918072,"exception":"[object] (yii\\base\\Exception(code: 0): Could not create backup: The shell command \"PGPASSWORD=\"password-containing-backtick-or-!-somewhere\" pg_dump '--dbname'='db-name' '--host'='host' '--port'='5432' '--username'='user' '--if-exists' '--clean' '--no-owner' '--no-privileges' '--no-acl' '--file'='filename' '--schema'='public' '--exclude-table-data' 'public.assetindexdata' '--exclude-table-data' 'public.cache' '--exclude-table-data' 'public.imagetransformindex' '--exclude-table-data' 'public.resourcepaths' '--exclude-table-data' 'public.phpsessions' '--exclude-table-data' 'public.sessions'\" failed with exit code 2: sh: 1: Syntax error: EOF in backquote substitution at /home/site/wwwroot/vendor/craftcms/cms/src/controllers/UtilitiesController.php:256)"}

The backtick triggers this error. When i remove it then i face another problem: the exclamation mark: In bash this is interpreted as event. If i enter "!Test" as password, then i get the error -bash: !Test: event not found

Steps to reproduce

1. Setup craft with a postgres-db
2. Choose a password with backtick or exclamation mark
3. Do a database-backup via admin-ui

Expected behavior

The special characters should be escaped properly when the command is concatinated.

Actual behavior

The special characters are not properly escaped.

Craft CMS version

5.7.2

PHP version

8.2

Operating system and version

Debian GNU/Linux 11 (bullseye)

Database type and version

Postgres 15.12

Image driver and version

No response

Installed plugins and versions

• craftcms/ckeditor: 4.7.0
• verbb/field-manager: 4.0.3
• verbb/zen 2.0.4

[brandonkelly]

Thanks for reporting that! Craft 4.15.2 and 5.7.3 are out with a fix.

[FabianRutishauser]

Successfully tested :) Thank you!