From 05942fe2f32aa26b91f7528577c6fde5fb9b923a Mon Sep 17 00:00:00 2001
From: Jeroen Peelaerts <jeroen.peelaerts@gmail.com>
Date: Tue, 2 Mar 2021 22:23:28 +0100
Subject: [PATCH] Add hook to validate save HTTP method (#3100)

---
 Dockerfile                        |  2 +-
 application/config/hooks.php      |  8 ++++++++
 application/controllers/Items.php |  4 ++--
 application/hooks/save_hook.php   | 16 ++++++++++++++++
 4 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 application/hooks/save_hook.php

diff --git a/Dockerfile b/Dockerfile
index 886270677..2181cb2c1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,6 +37,6 @@ FROM ospos AS ospos_dev
 RUN mkdir -p /app/bower_components && ln -s /app/bower_components /var/www/html/bower_components
 RUN yes | pecl install xdebug \
     && echo "zend_extension=$(find /usr/local/lib/php/extensions/ -name xdebug.so)" > /usr/local/etc/php/conf.d/xdebug.ini \
-    && echo "xdebug.remote_enable=on" >> /usr/local/etc/php/conf.d/xdebug.ini \
+    && echo "xdebug.remote_enable=1" >> /usr/local/etc/php/conf.d/xdebug.ini \
     && echo "xdebug.remote_autostart=off" >> /usr/local/etc/php/conf.d/xdebug.ini
 
diff --git a/application/config/hooks.php b/application/config/hooks.php
index dfc36793c..2c868085f 100644
--- a/application/config/hooks.php
+++ b/application/config/hooks.php
@@ -26,6 +26,14 @@ $hook['post_controller'] = array(
                                     'filepath' => 'hooks'
                                 );
 
+$hook['pre_controller'][] = array(
+    'class'    => '',
+    'function' => 'validate_save',
+    'filename' => 'save_hook.php',
+    'filepath' => 'hooks'
+);
+
+
 $hook['pre_system'] = function() {
     $config_path = APPPATH . (ENVIRONMENT == 'testing') ? 'tests/' : 'config/';
 	try {
diff --git a/application/controllers/Items.php b/application/controllers/Items.php
index cb37d1f13..a3ca4dda5 100644
--- a/application/controllers/Items.php
+++ b/application/controllers/Items.php
@@ -501,7 +501,7 @@ class Items extends Secure_Controller
 		}
 		$default_pack_name = $this->lang->line('items_default_pack_name');
 
-	//Save item data
+		//Save item data
 		$item_data = array(
 			'name' => $this->input->post('name'),
 			'description' => $this->input->post('description'),
@@ -1153,4 +1153,4 @@ class Items extends Secure_Controller
 		}
 	}
 }
-?>
\ No newline at end of file
+?>
diff --git a/application/hooks/save_hook.php b/application/hooks/save_hook.php
new file mode 100644
index 000000000..ccce4c136
--- /dev/null
+++ b/application/hooks/save_hook.php
@@ -0,0 +1,16 @@
+<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
+
+function validate_save()
+{
+
+    $url = $_SERVER['REQUEST_URI'];
+
+    $is_save = preg_match('/save\/\d*?/', $url);
+
+    if($is_save && $_SERVER["REQUEST_METHOD"] != "POST" && empty($_POST))
+    {
+        echo "Method not allowed";
+        die;
+    }
+
+}
\ No newline at end of file