From f542ec8378afbd8038aeca5975b15eca3f0574c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
Date: Wed, 3 Aug 2022 11:07:31 +0200
Subject: [PATCH] Filter allowed methods in plugin form controller

---
 front/plugin.form.php | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/front/plugin.form.php b/front/plugin.form.php
index 8f47e581455..94ca5bf1d48 100644
--- a/front/plugin.form.php
+++ b/front/plugin.form.php
@@ -43,16 +43,28 @@
 
 $plugin = new Plugin();
 
-if (
-    isset($_POST['action'])
-    && isset($_POST['id'])
-) {
-    if (method_exists($plugin, $_POST['action'])) {
-        call_user_func([$plugin, $_POST['action']], $_POST['id']);
-    } else {
-        echo "Action " . $_POST['action'] . " undefined";
-    }
-    Html::back();
+$id     = isset($_POST['id']) && is_numeric($_POST['id']) ? (int)$_POST['id'] : null;
+$action = $id > 0 && isset($_POST['action']) ? $_POST['action'] : null;
+
+switch ($action) {
+    case 'install':
+        $plugin->install($id);
+        break;
+    case 'activate':
+        $plugin->activate($id);
+        break;
+    case 'unactivate':
+        $plugin->unactivate($id);
+        break;
+    case 'uninstall':
+        $plugin->uninstall($id);
+        break;
+    case 'clean':
+        $plugin->clean($id);
+        break;
+    default:
+        Html::displayErrorAndDie('Lost');
+        break;
 }
 
-Html::displayErrorAndDie('Lost');
+Html::back();