search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.23k stars 2.34k forks source link

Infinite recursion when Content Picker Field references its own parent item with displaying shape override #16218

Open Piedone opened 1 month ago

Piedone commented 1 month ago

Describe the bug

You can create an infinite recursion if you pick the parent item itself in a Content Picker Field.

To Reproduce

Steps to reproduce the behavior:

  1. Add Content Picker Field to a content type, allowing the content type itself to be selected (e.g. you add it to Page, and let Page items be picked too).
  2. Create a content item, publish, edit again, pick the content item itself, publish.
  3. By default, this doesn't cause an issue, because the ContentPicker shape only lists the display texts of the picked items. However, if you have an override that DisplayAsync()s the picked items, see below, you can produce an infinite loop, crashing the process.
@model OrchardCore.ContentFields.ViewModels.DisplayContentPickerFieldViewModel
@using OrchardCore.ContentManagement
@using OrchardCore.ContentManagement.Display
@using OrchardCore.DisplayManagement.ModelBinding
@using OrchardCore.Mvc.Utilities
@using OrchardCore.ContentManagement.Metadata.Models

@inject IContentManager ContentManager
@inject IContentItemDisplayManager DisplayManager
@inject IUpdateModelAccessor UpdateModelAccessor

@{
    var contentItems = await ContentManager.GetAsync(Model.ContentItemIds);

    foreach (var contentItem in contentItems)
    {
        <span>This is new:</span>
        @(await DisplayAsync(await DisplayManager.BuildDisplayAsync(contentItem, UpdateModelAccessor.ModelUpdater)))
    }
}

Latest main (8e3c8180dbe3d8eca792767e7e68f87fc89982ea).

Expected behavior

This is clearly a misconfiguration that can't produce much sensible, but still, the app shouldn't crash. So, e.g.:

Screenshots

-

sebastienros commented 1 month ago

In Fluid there is MaxSteps and MaxRecursion to limit the execution of templates.

github-actions[bot] commented 1 month ago

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.