magdev/wp-fedistream
1
Fork 0
Code Issues Pull Requests Actions Releases 12 Activity

Compare commits

base: magdev:v0.4.6
Branches Tags
magdev:main magdev:dev
magdev:v0.6.0 magdev:v0.5.1 magdev:v0.5.0 magdev:v0.4.9 magdev:v0.4.8 magdev:v0.4.7 magdev:v0.4.6 magdev:v0.4.5 magdev:v0.4.4 magdev:v0.4.3 magdev:v0.4.2 magdev:v0.4.1 magdev:v0.4.0 magdev:v0.3.0 magdev:v0.2.0 magdev:v0.1.1 magdev:v0.1.0
..
compare: magdev:v0.4.7
Branches Tags
magdev:dev magdev:main
magdev:v0.6.0 magdev:v0.5.1 magdev:v0.5.0 magdev:v0.4.9 magdev:v0.4.8 magdev:v0.4.7 magdev:v0.4.6 magdev:v0.4.5 magdev:v0.4.4 magdev:v0.4.3 magdev:v0.4.2 magdev:v0.4.1 magdev:v0.4.0 magdev:v0.3.0 magdev:v0.2.0 magdev:v0.1.1 magdev:v0.1.0

1 Commits
v0.4.6 ... v0.4.7

Author SHA1 Message Date
magdev
b592e45d58 fix: Hard main template rendering lock
Some checks failed
Create Release Package / build-release (push) Failing after 53s
Details 
- Added $rendering_main_template flag that blocks all other renders
- Reduced MAX_RENDER_DEPTH from 5 to 2
- template-wrapper.php passes is_main_template=true to enable hard lock
- Any render attempt during main template rendering is blocked

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-02 19:55:23 +01:00
4 changed files with 40 additions and 5 deletions
Expand all files Collapse all files

13
CHANGELOG.md
View File

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased] ## [Unreleased]
## [0.4.7] - 2026-02-02
### Fixed
- **Hard main template rendering lock** - Added additional protection at Plugin::render() level
- Added `$rendering_main_template` flag that completely blocks any other render calls while main template is rendering
- Reduced MAX_RENDER_DEPTH from 5 to 2 (allows one level of {% include %} but prevents deeper recursion)
- template-wrapper.php now passes `is_main_template = true` to enable the hard lock
- Any render attempt during main template rendering is immediately blocked
## [0.4.6] - 2026-02-02 ## [0.4.6] - 2026-02-02
### Fixed ### Fixed
@@ -254,7 +264,8 @@ Initial release of WP FediStream - a WordPress plugin for streaming music over A
--- ---
[Unreleased]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.6...HEAD [Unreleased]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.7...HEAD
[0.4.7]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.6...v0.4.7
[0.4.6]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.5...v0.4.6 [0.4.6]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.5...v0.4.6
[0.4.5]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.4...v0.4.5 [0.4.5]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.4...v0.4.5
[0.4.4]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.3...v0.4.4 [0.4.4]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.3...v0.4.4

3
includes/Frontend/template-wrapper.php
View File

@@ -60,7 +60,8 @@ get_header();
if ( $template_name ) { if ( $template_name ) {
try { try {
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo $plugin->render( $template_name, $context ); // Pass true for is_main_template to set the hard rendering lock.
echo $plugin->render( $template_name, $context, true );
} catch ( \Exception $e ) { } catch ( \Exception $e ) {
if ( WP_DEBUG ) { if ( WP_DEBUG ) {
echo '<div class="fedistream-error">'; echo '<div class="fedistream-error">';

27
includes/Plugin.php
View File

@@ -64,10 +64,19 @@ final class Plugin {
/** /**
* Maximum allowed Twig render depth. * Maximum allowed Twig render depth.
* Set to 2 to allow one level of nested includes but prevent deeper recursion.
* *
* @var int * @var int
*/ */
private const MAX_RENDER_DEPTH = 5; private const MAX_RENDER_DEPTH = 2;
/**
* Flag to track if we're currently rendering the main page template.
* This is a hard lock that prevents ANY other rendering.
*
* @var bool
*/
private static bool $rendering_main_template = false;
/** /**
* Post type instances. * Post type instances.
@@ -856,18 +865,32 @@ final class Plugin {
* @param array $context Template context variables. * @param array $context Template context variables.
* @return string Rendered template. * @return string Rendered template.
*/ */
public function render( string $template, array $context = array() ): string { public function render( string $template, array $context = array(), bool $is_main_template = false ): string {
// If we're already rendering the main template, block any other renders.
if ( self::$rendering_main_template && ! $is_main_template ) {
return '<!-- FediStream: blocked during main template render -->';
}
// Prevent infinite recursion in Twig rendering. // Prevent infinite recursion in Twig rendering.
if ( self::$render_depth >= self::MAX_RENDER_DEPTH ) { if ( self::$render_depth >= self::MAX_RENDER_DEPTH ) {
return '<!-- FediStream: render depth exceeded -->'; return '<!-- FediStream: render depth exceeded -->';
} }
// Set main template lock if this is the main template.
$was_main = self::$rendering_main_template;
if ( $is_main_template ) {
self::$rendering_main_template = true;
}
++self::$render_depth; ++self::$render_depth;
try { try {
$result = $this->twig->render( $template . '.twig', $context ); $result = $this->twig->render( $template . '.twig', $context );
} finally { } finally {
--self::$render_depth; --self::$render_depth;
if ( $is_main_template ) {
self::$rendering_main_template = $was_main;
}
} }
return $result; return $result;

2
wp-fedistream.php
View File

@@ -26,7 +26,7 @@ if ( ! defined( 'ABSPATH' ) ) {
* *
* @var string * @var string
*/ */
define( 'WP_FEDISTREAM_VERSION', '0.4.6' ); define( 'WP_FEDISTREAM_VERSION', '0.4.7' );
/** /**
* Plugin file path. * Plugin file path.