From a95934c6d8cc5a9a44418624a8055d19a08fb1ba Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 5 Dec 2011 00:35:50 +0100
Subject: [PATCH] Sec: Fix security hole

---
 htdocs/master.inc.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 892655272df..ad05ee10535 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -125,17 +125,17 @@ if (! defined('NOREQUIREUSER'))
 if (! defined('NOREQUIREDB'))
 {
 	// By default conf->entity is 1, but we change this if we ask another value.
-	if (session_id() && ! empty($_SESSION["dol_entity"]))					// Entity inside an opened session
+	if (session_id() && ! empty($_SESSION["dol_entity"]))			// Entity inside an opened session
 	{
 		$conf->entity = $_SESSION["dol_entity"];
 	}
-	elseif (! empty($_ENV["dol_entity"]))									// Entity inside a CLI script
+	elseif (! empty($_ENV["dol_entity"]))							// Entity inside a CLI script
 	{
 		$conf->entity = $_ENV["dol_entity"];
 	}
-	elseif (isset($_POST["loginfunction"]) && ! empty($_POST["entity"]))	// Just after a login page
+	elseif (isset($_POST["loginfunction"]) && GETPOST("entity"))	// Just after a login page
 	{
-		$conf->entity = $_POST["entity"];
+		$conf->entity = GETPOST("entity",'int');
 	}
 	else	// TODO Does this "else" still usefull ?
 	{