You've already forked wp-fedistream
fix: Hard main template rendering lock
Some checks failed
Create Release Package / build-release (push) Failing after 53s
Some checks failed
Create Release Package / build-release (push) Failing after 53s
- Added $rendering_main_template flag that blocks all other renders - Reduced MAX_RENDER_DEPTH from 5 to 2 - template-wrapper.php passes is_main_template=true to enable hard lock - Any render attempt during main template rendering is blocked Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -60,7 +60,8 @@ get_header();
|
||||
if ( $template_name ) {
|
||||
try {
|
||||
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
|
||||
echo $plugin->render( $template_name, $context );
|
||||
// Pass true for is_main_template to set the hard rendering lock.
|
||||
echo $plugin->render( $template_name, $context, true );
|
||||
} catch ( \Exception $e ) {
|
||||
if ( WP_DEBUG ) {
|
||||
echo '<div class="fedistream-error">';
|
||||
|
||||
@@ -64,10 +64,19 @@ final class Plugin {
|
||||
|
||||
/**
|
||||
* Maximum allowed Twig render depth.
|
||||
* Set to 2 to allow one level of nested includes but prevent deeper recursion.
|
||||
*
|
||||
* @var int
|
||||
*/
|
||||
private const MAX_RENDER_DEPTH = 5;
|
||||
private const MAX_RENDER_DEPTH = 2;
|
||||
|
||||
/**
|
||||
* Flag to track if we're currently rendering the main page template.
|
||||
* This is a hard lock that prevents ANY other rendering.
|
||||
*
|
||||
* @var bool
|
||||
*/
|
||||
private static bool $rendering_main_template = false;
|
||||
|
||||
/**
|
||||
* Post type instances.
|
||||
@@ -856,18 +865,32 @@ final class Plugin {
|
||||
* @param array $context Template context variables.
|
||||
* @return string Rendered template.
|
||||
*/
|
||||
public function render( string $template, array $context = array() ): string {
|
||||
public function render( string $template, array $context = array(), bool $is_main_template = false ): string {
|
||||
// If we're already rendering the main template, block any other renders.
|
||||
if ( self::$rendering_main_template && ! $is_main_template ) {
|
||||
return '<!-- FediStream: blocked during main template render -->';
|
||||
}
|
||||
|
||||
// Prevent infinite recursion in Twig rendering.
|
||||
if ( self::$render_depth >= self::MAX_RENDER_DEPTH ) {
|
||||
return '<!-- FediStream: render depth exceeded -->';
|
||||
}
|
||||
|
||||
// Set main template lock if this is the main template.
|
||||
$was_main = self::$rendering_main_template;
|
||||
if ( $is_main_template ) {
|
||||
self::$rendering_main_template = true;
|
||||
}
|
||||
|
||||
++self::$render_depth;
|
||||
|
||||
try {
|
||||
$result = $this->twig->render( $template . '.twig', $context );
|
||||
} finally {
|
||||
--self::$render_depth;
|
||||
if ( $is_main_template ) {
|
||||
self::$rendering_main_template = $was_main;
|
||||
}
|
||||
}
|
||||
|
||||
return $result;
|
||||
|
||||
Reference in New Issue
Block a user