I solved all observation by Code Injection-Hight

2015-03-12 14:51:09 -04:00
parent 8d379a2a58
commit 056784289a
4 changed files with 25 additions and 8 deletions
--- a/workflow/engine/classes/class.pluginRegistry.php
+++ b/workflow/engine/classes/class.pluginRegistry.php
@@ -489,8 +489,11 @@ class PMPluginRegistry
        if (! file_exists( PATH_PLUGINS . $pluginFile )) {
            throw (new Exception( "File \"$pluginFile\" doesn't exist" ));
        }
-
-        require_once (PATH_PLUGINS . $pluginFile);
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $path = PATH_PLUGINS . $pluginFile;
+        //$path = $filter->validateInput($path, 'path');
+        require_once ($path);
        $details = $this->getPluginDetails( $pluginFile );

        $this->installPlugin( $details->sNamespace );
@@ -509,7 +512,11 @@ class PMPluginRegistry
        }

        ///////
-        require_once (PATH_PLUGINS . $pluginFile);
+        $path = PATH_PLUGINS . $pluginFile;
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $path = $filter->validateInput($path, 'path');
+        require_once ($path);

        foreach ($this->_aPluginDetails as $namespace => $detail) {
            if ($namespace == $sNamespace) {