Validaciones nuevas incidencias reporte veracode 29-04-15

workflow/engine/controllers/adminProxy.php

@@ -1076,7 +1076,8 @@ class adminProxy extends HttpProxyController
                     } else {
                         $failed = "3";
                     }
-                    unlink ($dir . '/tmp' . $fileName);
+                    $path = $filter->xssFilterHard($dir . '/tmp' . $fileName, 'path');
+                    unlink ($path);
                 } catch (Exception $e) {
                     $failed = "3";
                 }
@@ -1088,6 +1089,7 @@ class adminProxy extends HttpProxyController
         }
         $uploaded = $filter->validateInput($uploaded,'int');
         $files_img_type = $filter->xssFilterHard($files_img_type);
+        $failed = $filter->validateInput($failed,'int');
         echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $files_img_type . '"}';
         exit();
     }
@@ -1236,6 +1238,11 @@ class adminProxy extends HttpProxyController
     public function showLogo($imagen)
     {
         $info = @getimagesize($imagen);
+        
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $imagen = $filter->validateInput($imagen, "path");
+            
         $fp   = fopen($imagen, "rb");
         if ($info && $fp) {
             header("Content-type: {$info['mime']}");
@@ -1295,6 +1302,11 @@ class adminProxy extends HttpProxyController
             }
             $newDir .= PATH_SEP.$base64Id;
             $dir    .= PATH_SEP.$base64Id;
+            
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $dir = $filter->validateInput($dir, "path");
+        
             copy($dir,$newDir);
             self::showLogo($newDir);
             die;