From 3ab63875e551c67b9c6b7a0a8883a01666a557d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kai=20K=C3=B6hne?= <kai.koehne@qt.io>
Date: Wed, 9 Apr 2025 12:44:15 +0200
Subject: [PATCH] Doc: Warn about loading of untrusted .qm files

Pick-to: 6.9 6.8
Change-Id: I0cc99ef285335fc244ba33f08bf0e322c7597a75
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
---
 src/corelib/kernel/qtranslator.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/corelib/kernel/qtranslator.cpp b/src/corelib/kernel/qtranslator.cpp
index aa7c8be2285..6b68cb7a513 100644
--- a/src/corelib/kernel/qtranslator.cpp
+++ b/src/corelib/kernel/qtranslator.cpp
@@ -376,6 +376,16 @@ public:
     QCoreApplication::installTranslator(). It will then be the first
     translation to be searched for matching strings.
 
+    \section1 Security Considerations
+
+    Only install translation files from trusted sources.
+
+    Translation files are binary files that are generated from text-based
+    translation source files. The format of these binary files is strictly
+    defined by Qt and any manipulation of the data in the binary file may
+    crash the application when the file is loaded. Furthermore, even well-formed
+    translation files may contain misleading or malicious translations.
+
     \sa QCoreApplication::installTranslator(), QCoreApplication::removeTranslator(),
         QObject::tr(), QCoreApplication::translate(), {I18N Example},
         {Hello tr() Example}, {Arrow Pad Example}, {Troll Print Example}