Fix security: A password must NEVER be stored as cookie. GETPOST must

analyse POST only.
Dolibarr · Jun 12, 2016 · cda17da · cda17da
1 parent 1396f11
commit cda17da
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
@@ -438,7 +438,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
         }
 
         $usertotest		= (! empty($_COOKIE['login_dolibarr']) ? $_COOKIE['login_dolibarr'] : GETPOST("username","alpha",2));
-        $passwordtotest	= (! empty($_COOKIE['password_dolibarr']) ? $_COOKIE['password_dolibarr'] : GETPOST('password'));
+        $passwordtotest	= GETPOST('password','',2);
         $entitytotest	= (GETPOST('entity','int') ? GETPOST('entity','int') : (!empty($conf->entity) ? $conf->entity : 1));
 
         // Validation of login/pass/entity