Skip to content

Harden Cache-Control TTL sanitization in response controller#4

Merged
MaximillianGroup merged 3 commits into
mainfrom
codex/review-cache-plugin-and-plan-action
May 26, 2026
Merged

Harden Cache-Control TTL sanitization in response controller#4
MaximillianGroup merged 3 commits into
mainfrom
codex/review-cache-plugin-and-plan-action

Conversation

@MaximillianGroup

@MaximillianGroup MaximillianGroup commented May 25, 2026

Copy link
Copy Markdown
Contributor

Motivation

  • Prevent third-party filters from producing negative or invalid Cache-Control directive values which can create malformed headers and unpredictable downstream caching behavior.

Description

  • Normalize starcache_max_age and starcache_stale_while_revalidate outputs in StarResponseController::sendPublicCacheHeaders() by introducing sanitizeDirectiveSeconds() and using it to ensure non-negative, predictable TTLs (file modified: StarResponseController.php).

Testing

  • Ran syntax checks php -l across plugin PHP files which completed successfully.
  • Attempted composer install / composer test but dependency installation failed due to Packagist network restrictions in the execution environment, so full test-suite execution could not be run.

Codex Task

@MaximillianGroup MaximillianGroup requested a review from Copilot May 25, 2026 23:31
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 25, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new helper method sanitizeDirectiveSeconds to normalize cache directive durations (max-age and stale-while-revalidate) to prevent negative or invalid values from third-party filters. The feedback points out that casting the filter outputs to (int) before sanitization converts invalid types (like null or false) to 0, which bypasses the negative-value check and silently disables caching. The reviewer recommends passing the raw filter values and updating sanitizeDirectiveSeconds to accept mixed types and validate them using is_numeric() to safely fall back to the default TTL.

Comment thread StarResponseController.php
Comment thread StarResponseController.php Outdated
Copilot AI reviewed May 25, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens Cache-Control header emission by preventing negative TTL values (potentially returned by third-party WordPress filters) from producing malformed directives in StarResponseController::sendPublicCacheHeaders().

Changes:

  • Added sanitizeDirectiveSeconds() to normalize directive seconds to a non-negative integer.
  • Applied sanitization to both starcache_max_age and starcache_stale_while_revalidate filter outputs before building the Cache-Control header.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread StarResponseController.php
@MaximillianGroup MaximillianGroup merged commit 28b0a5b into main May 26, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+2 more reviewers

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Copilot code review Copilot Copilot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@MaximillianGroup MaximillianGroup

Copilot code review Copilot

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MaximillianGroup