From e70b243b30c1968a9b2d47b158c30937b631e56e Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Thu, 10 Jun 2021 09:26:58 +0200
Subject: [PATCH 1/3] Disable access to app/cache + allow pchart generated
 files BT#18720

---
 app/cache/.htaccess            |  7 +++++++
 main/admin/archive_cleanup.php | 12 +++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/cache/.htaccess b/app/cache/.htaccess
index ddc33ea791..78d659062b 100644
--- a/app/cache/.htaccess
+++ b/app/cache/.htaccess
@@ -1 +1,8 @@
+order deny,allow
+deny from all
+# pChart generated files should be allowed
+<FilesMatch "^[0-9a-f]+$">
+    order allow,deny
+    allow from all
+</FilesMatch>
 php_flag engine off
\ No newline at end of file
diff --git a/main/admin/archive_cleanup.php b/main/admin/archive_cleanup.php
index af1f34b492..b099c635b9 100755
--- a/main/admin/archive_cleanup.php
+++ b/main/admin/archive_cleanup.php
@@ -46,7 +46,17 @@ if ($form->validate()) {
     }
 
     $archive_path = api_get_path(SYS_ARCHIVE_PATH);
-    $htaccess = 'php_flag engine off';
+    $htaccess = <<<TEXT
+order deny,allow
+deny from all
+# pChart generated files should be allowed
+<FilesMatch "^[0-9a-f]+$">
+    order allow,deny
+    allow from all
+</FilesMatch>
+php_flag engine off
+TEXT;
+
     $result = rmdirr($archive_path, true, true);
     if (false === $result) {
         Display::addFlash(Display::return_message(get_lang('ArchiveDirCleanupFailed'), 'error'));

From 98d2668e271f554d3bd9e8e433176da3b3eb675a Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Thu, 10 Jun 2021 14:29:25 +0200
Subject: [PATCH 2/3] Add api_protect_webservices

---
 main/webservices/user_info.soap.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/main/webservices/user_info.soap.php b/main/webservices/user_info.soap.php
index d59c8ad7f1..60360b25d3 100755
--- a/main/webservices/user_info.soap.php
+++ b/main/webservices/user_info.soap.php
@@ -1,15 +1,18 @@
 <?php
+
 /* For licensing terms, see /license.txt */
+
 /**
  * This script provides the caller service with user details.
  * It is set to work with the Chamilo module for Drupal:
  * http://drupal.org/project/chamilo.
  *
  * @author Yannick Warnier <yannick.warnier@dokeos.com>
- *
- * @package chamilo.webservices
  */
 require_once __DIR__.'/../inc/global.inc.php';
+
+api_protect_webservices();
+
 // Create the server instance
 $server = new soap_server();
 // Initialize WSDL support

From 8e0d4032082d2259ed84f4976ad1c19a40868a24 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Thu, 10 Jun 2021 14:30:34 +0200
Subject: [PATCH 3/3] Setting: prevent_multiple_simultaneous_login: Check IP

---
 main/inc/lib/online.inc.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/main/inc/lib/online.inc.php b/main/inc/lib/online.inc.php
index daa27eca24..28c94f1890 100755
--- a/main/inc/lib/online.inc.php
+++ b/main/inc/lib/online.inc.php
@@ -76,10 +76,17 @@ function LoginCheck($uid)
 function preventMultipleLogin($userId)
 {
     $table = Database::get_main_table(TABLE_STATISTIC_TRACK_E_ONLINE);
-    $userId = intval($userId);
+    $userId = (int) $userId;
     if (api_get_setting('prevent_multiple_simultaneous_login') === 'true') {
         if (!empty($userId) && !api_is_anonymous()) {
             $isFirstLogin = Session::read('first_user_login');
+            $currentIp = Session::read('current_ip');
+            $differentIp = false;
+            if (!empty($currentIp) && api_get_real_ip() !== $currentIp) {
+                $isFirstLogin = null;
+                $differentIp = true;
+            }
+
             if (empty($isFirstLogin)) {
                 $sql = "SELECT login_id FROM $table
                         WHERE login_user_id = $userId
@@ -94,7 +101,7 @@ function preventMultipleLogin($userId)
                 $userIsReallyOnline = user_is_online($userId);
 
                 // Trying double login.
-                if (!empty($loginData) && $userIsReallyOnline == true) {
+                if ((!empty($loginData) && $userIsReallyOnline) || $differentIp) {
                     session_regenerate_id();
                     Session::destroy();
                     header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=multiple_connection_not_allowed');
@@ -102,6 +109,7 @@ function preventMultipleLogin($userId)
                 } else {
                     // First time
                     Session::write('first_user_login', 1);
+                    Session::write('current_ip', api_get_real_ip());
                 }
             }
         }