Merged in paulis/processmaker/PM-VERACODE-3 (pull request #1660)

I solved all observation by Code Injection - Hight

workflow/engine/classes/class.pluginRegistry.php

@@ -489,8 +489,11 @@ class PMPluginRegistry
         if (! file_exists( PATH_PLUGINS . $pluginFile )) {
             throw (new Exception( "File \"$pluginFile\" doesn't exist" ));
         }
-
-        require_once (PATH_PLUGINS . $pluginFile);
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $path = PATH_PLUGINS . $pluginFile;
+        //$path = $filter->validateInput($path, 'path');
+        require_once ($path);
         $details = $this->getPluginDetails( $pluginFile );
 
         $this->installPlugin( $details->sNamespace );
@@ -509,7 +512,11 @@ class PMPluginRegistry
         }
 
         ///////
-        require_once (PATH_PLUGINS . $pluginFile);
+        $path = PATH_PLUGINS . $pluginFile;
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $path = $filter->validateInput($path, 'path');
+        require_once ($path);
 
         foreach ($this->_aPluginDetails as $namespace => $detail) {
             if ($namespace == $sNamespace) {

workflow/engine/classes/model/AddonsManager.php

@@ -132,7 +132,11 @@ class AddonsManager extends BaseAddonsManager
 
         $oPluginRegistry = &PMPluginRegistry::getSingleton();
 
-        require_once (PATH_PLUGINS . $this->getAddonName() . ".php");
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $requiredPath = PATH_PLUGINS . $this->getAddonName() . ".php";
+        $requiredPath = $filter->validateInput($requiredPath, 'path');
+        require_once ($requiredPath);
 
         if ($enable) {
             //$oDetails = $oPluginRegistry->getPluginDetails($this->getAddonName());