26 Nov
2025
26 Nov
'25
11:10 a.m.
On Wed Nov 26 11:10:14 2025 +0000, Jacek Caban wrote:
This should probably use `INTERFACE_USES_SECURITY_MANAGER` and propagate `QueryService(SID_SInternetHostSecurityManager)` when appropriate, likely based on `IObjectWithSite`. Otherwise, unsafe scripts could use this to bypass the security manager. For example, a webpage could create an XML document and then run xpath with a malicious script; if that script isn’t subject to the security manager, it could freely create objects like `Scripting.FileSystemObject`. Do we have an example of how this works?
-- https://gitlab.winehq.org/wine/wine/-/merge_requests/9600#note_123813