veracode medium issues

Directory Transversal, OS Command Injection

workflow/engine/classes/class.case.php

@@ -3797,6 +3797,10 @@ class Cases
                 if (!is_dir($strPathName)) {
                     G::verifyPath($strPathName, true);
                 }
+                
+                G::LoadSystem('inputfilter');
+                $filter = new InputFilter();
+                $file = $filter->xssFilterHard($file, 'path');
 
                 copy($file, $strPathName . $strFileName);
                 chmod($strPathName . $strFileName, 0666);

workflow/engine/classes/class.pmLicenseManager.php

@@ -442,6 +442,10 @@ class pmLicenseManager
             $LicenseStatus = $this->lookForStatusLicense(); //we're looking for a status ACTIVE
 
             //getting the content from file
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $path = $filter->xssFilterHard($path, 'path');
+                
             $handle = fopen ( $path, "r" );
             $contents = fread ( $handle, filesize ( $path ) );
             fclose ( $handle );

workflow/engine/classes/class.system.php

@@ -287,6 +287,7 @@ class System
         $tempFilename = isset( $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] ) ? $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] : '';
         $this->sRevision = str_replace( '.tar.gz', '', str_replace( 'pmos-patch-', '', $upgradeFilename ) );
         $sTemFilename = $tempFilename;
+        $sTemFilename = $filter->xssFilterHard($sTemFilename, 'path');
         $pathFile = $filter->xssFilterHard(PATH_DATA . 'upgrade' . PATH_SEP . $upgradeFilename, 'path');
         $this->sFilename = $pathFile;
         $this->sPath = dirname( $this->sFilename ) . PATH_SEP;