[royale-asjs] branch develop updated: support for another variation in legacy ExternalInterface usage: arbitrary script injection via eval

[gregdove]

This is an automated email from the ASF dual-hosted git repository.

gregdove pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/royale-asjs.git


The following commit(s) were added to refs/heads/develop by this push:
     new 0f3e7fb  support for another variation in legacy ExternalInterface 
usage: arbitrary script injection via eval
0f3e7fb is described below

commit 0f3e7fb3fc9906638af325a6dcaf03cb23e91108
Author: greg-dove <greg.d...@gmail.com>
AuthorDate: Sat Jan 2 10:46:21 2021 +1300

    support for another variation in legacy ExternalInterface usage: arbitrary 
script injection via eval
---
 .../main/royale/mx/external/ExternalInterface.as   | 31 +++++++++++++++-------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git 
a/frameworks/projects/MXRoyale/src/main/royale/mx/external/ExternalInterface.as 
b/frameworks/projects/MXRoyale/src/main/royale/mx/external/ExternalInterface.as
index 7899ca8..9caae70 100644
--- 
a/frameworks/projects/MXRoyale/src/main/royale/mx/external/ExternalInterface.as
+++ 
b/frameworks/projects/MXRoyale/src/main/royale/mx/external/ExternalInterface.as
@@ -169,22 +169,35 @@ package mx.external
             {
                 // find a function with the name...
                 var fnc : Function;
+                var base:Object = window
                 if (functionName) {
-                    var base:Object = window;
-                    var dotIdx:int = functionName.indexOf('.');
-                    if (dotIdx != -1) {
-                        while(dotIdx != -1) {
-                            base = base[functionName.substr(0, dotIdx)];
-                            functionName = functionName.substr(dotIdx + 1);
-                            dotIdx = functionName.indexOf('.');
+                    if (functionName.indexOf('function(')==-1 ) {//might need 
a more robust check for eval-only scripts
+                        var dotIdx:int = functionName.indexOf('.');
+                        var err:Boolean;
+                        if (dotIdx != -1) {
+                            while(!err && dotIdx != -1) {
+                                base = base[functionName.substr(0, dotIdx)];
+                                functionName = functionName.substr(dotIdx + 1);
+                                dotIdx = functionName.indexOf('.');
+                                if (!base) {
+                                    err = true
+                                }
+                            }
+                        }
+                        fnc = !err ? base[functionName] as Function: null;
+                    }
+                    if (!fnc) {
+                        try {
+                            fnc = eval('(function(){ return 
('+functionName+')})()');
+                        } catch(e:Error){
+
                         }
                     }
-                    fnc = base[functionName];
                 }
 
                 if (fnc)
                 {
-                    return fnc.apply(null, args);
+                    return fnc.apply(base, args);
                 }
                 return null;
             }