From ff2ab47cfabd4784effbf72a2a386c5d25c43a9a Mon Sep 17 00:00:00 2001
From: Anyon <zoujingli@qq.com>
Date: Fri, 4 Sep 2020 12:48:35 +0800
Subject: [PATCH] =?UTF-8?q?#244=20=E5=A2=9E=E5=8A=A0=E9=AA=8C=E8=AF=81=20?=
 =?UTF-8?q?=E8=A7=84=E5=88=99=E5=8F=8A=E8=AE=BF=E9=97=AE=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/admin/controller/api/Update.php                  | 11 +++++++++++
 vendor/composer/installed.json                       | 12 ++++++------
 vendor/services.php                                  |  2 +-
 vendor/zoujingli/think-library/src/Library.php       |  2 +-
 .../think-library/src/service/ModuleService.php      |  8 ++++++++
 .../think-library/src/service/NodeService.php        |  4 ++--
 6 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/app/admin/controller/api/Update.php b/app/admin/controller/api/Update.php
index a9fc24460..131f3c93d 100644
--- a/app/admin/controller/api/Update.php
+++ b/app/admin/controller/api/Update.php
@@ -17,6 +17,7 @@ namespace app\admin\controller\api;
 
 use think\admin\Controller;
 use think\admin\service\ModuleService;
+use think\admin\service\SystemService;
 
 /**
  * 安装服务端支持
@@ -26,6 +27,16 @@ use think\admin\service\ModuleService;
 class Update extends Controller
 {
 
+    /**
+     * 访问环境拦截
+     */
+    protected function initialize()
+    {
+        if (!SystemService::instance()->checkRunMode('dev')) {
+            $this->error('只允许访问本地或官方代码！');
+        }
+    }
+
     /**
      * 读取文件内容
      */
diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json
index 383840cc7..c3c10cf7f 100644
--- a/vendor/composer/installed.json
+++ b/vendor/composer/installed.json
@@ -958,17 +958,17 @@
     },
     {
         "name": "zoujingli/think-library",
-        "version": "v6.0.3",
-        "version_normalized": "6.0.3.0",
+        "version": "v6.0.4",
+        "version_normalized": "6.0.4.0",
         "source": {
             "type": "git",
             "url": "https://github.com/zoujingli/ThinkLibrary.git",
-            "reference": "77e7a89a681854da202aa5afa4170279ac6c44c4"
+            "reference": "90513f6dd77469528657c1a14c0d69e2eaea80a1"
         },
         "dist": {
             "type": "zip",
-            "url": "https://api.github.com/repos/zoujingli/ThinkLibrary/zipball/77e7a89a681854da202aa5afa4170279ac6c44c4",
-            "reference": "77e7a89a681854da202aa5afa4170279ac6c44c4",
+            "url": "https://api.github.com/repos/zoujingli/ThinkLibrary/zipball/90513f6dd77469528657c1a14c0d69e2eaea80a1",
+            "reference": "90513f6dd77469528657c1a14c0d69e2eaea80a1",
             "shasum": "",
             "mirrors": [
                 {
@@ -985,7 +985,7 @@
             "ext-mbstring": "*",
             "topthink/framework": "^6.0"
         },
-        "time": "2020-09-02T03:41:53+00:00",
+        "time": "2020-09-04T04:22:19+00:00",
         "type": "library",
         "extra": {
             "think": {
diff --git a/vendor/services.php b/vendor/services.php
index 2cb462a9e..53c3d0d13 100644
--- a/vendor/services.php
+++ b/vendor/services.php
@@ -1,5 +1,5 @@
 <?php 
-// This file is automatically generated at:2020-09-03 10:27:17
+// This file is automatically generated at:2020-09-04 12:46:23
 declare (strict_types = 1);
 return array (
   0 => 'think\\admin\\Library',
diff --git a/vendor/zoujingli/think-library/src/Library.php b/vendor/zoujingli/think-library/src/Library.php
index c59c73517..ef9c56ea3 100644
--- a/vendor/zoujingli/think-library/src/Library.php
+++ b/vendor/zoujingli/think-library/src/Library.php
@@ -41,7 +41,7 @@ class Library extends Service
     /**
      * 扩展库版本号
      */
-    const VERSION = '6.0.3';
+    const VERSION = '6.0.4';
 
     /**
      * 启动服务
diff --git a/vendor/zoujingli/think-library/src/service/ModuleService.php b/vendor/zoujingli/think-library/src/service/ModuleService.php
index 024edd2e3..bc2739797 100644
--- a/vendor/zoujingli/think-library/src/service/ModuleService.php
+++ b/vendor/zoujingli/think-library/src/service/ModuleService.php
@@ -190,10 +190,18 @@ class ModuleService extends Service
      */
     public function checkAllowDownload(string $name): bool
     {
+        // 禁止目录级别上跳
+        if (stripos($name, '../') !== false) {
+            return false;
+        }
         // 禁止下载数据库配置文件
         if (stripos($name, 'database.php') !== false) {
             return false;
         }
+        // 禁止非官方演示项目下载
+        if (stripos($this->app->request->domain(), 'thinkadmin.top') === false) {
+            return false;
+        }
         // 检查允许下载的文件规则
         foreach ($this->_getAllowDownloadRule() as $rule) {
             if (stripos($name, $rule) !== false) return true;
diff --git a/vendor/zoujingli/think-library/src/service/NodeService.php b/vendor/zoujingli/think-library/src/service/NodeService.php
index 3f208bd50..ceb3f5f8c 100644
--- a/vendor/zoujingli/think-library/src/service/NodeService.php
+++ b/vendor/zoujingli/think-library/src/service/NodeService.php
@@ -60,10 +60,10 @@ class NodeService extends Service
     {
         if (empty($node)) return $this->getCurrent();
         if (count($attrs = explode('/', $node)) === 1) {
-            return $this->getCurrent('controller') . '/' . $node;
+            return $this->getCurrent('controller') . '/' . strtolower($node);
         } else {
             $attrs[1] = $this->nameTolower($attrs[1]);
-            return join('/', $attrs);
+            return strtolower(join('/', $attrs));
         }
     }