From 197bf61cfd6b176e163d56fd71988a109f098710 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 10 Nov 2019 14:01:59 +0100
Subject: [PATCH] Fix security. Login check must be done if action=login only.

---
 htdocs/main.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index fb446cb6afd..590f78437b4 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -553,7 +553,7 @@ if (! defined('NOLOGIN'))
 		// Validation of login/pass/entity
 		// If ok, the variable login will be returned
 		// If error, we will put error message in session under the name dol_loginmesg
-		if ($test && $goontestloop)
+		if ($test && $goontestloop && GETPOST('action', 'aZ09') == 'login')
 		{
 			$login = checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $authmode);
 			if ($login)