QDataStream & QResource: document their lack of security-hardening

Pick-to: 6.6 6.5 Fixes: QTBUG-120012 Task-number: QTBUG-119178 Change-Id: I6e2677aad2ab45759db2fffd17a06af730e320d6 Reviewed-by: Ievgenii Meshcheriakov <ievgenii.meshcheriakov@qt.io> Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> (cherry picked from commit e696bec76e4f852cb28f27c50c95d3504fba559e) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
2023-12-13 11:37:48 -03:00 · 2023-12-13 11:37:48 -03:00 · 60d60dba77
commit 60d60dba77
parent e4c533c336
2 changed files with 34 additions and 0 deletions
--- a/src/corelib/io/qresource.cpp
+++ b/src/corelib/io/qresource.cpp
@ -233,6 +233,19 @@ static inline ResourceList *resourceList()
    itself will be unmapped from memory when the last QResource that points
    to it is destroyed.

+    \section2 Corruption and Security
+
+    The QResource class performs some checks on the file passed to determine
+    whether it is supported by the current version of Qt. Those tests are only
+    to check the file header does not request features (such as Zstandard
+    decompression) that have not been compiled in or that the file is not of a
+    future version of Qt. They do not confirm the validity of the entire file.
+
+    QResource should not be used on files whose provenance cannot be trusted.
+    Applications should be designed to attempt to load only resource files
+    whose provenance is at least as trustworthy as that of the application
+    itself or its plugins.
+
    \sa {The Qt Resource System}, QFile, QDir, QFileInfo
 */

--- a/src/corelib/serialization/qdatastream.cpp
+++ b/src/corelib/serialization/qdatastream.cpp
@ -164,6 +164,27 @@ QT_BEGIN_NAMESPACE
    If no full packet is received, this code restores the stream to the
    initial position, after which you need to wait for more data to arrive.

+    \section1 Corruption and Security
+
+    QDataStream is not resilient against corrupted data inputs and should
+    therefore not be used for security-sensitive situations, even when using
+    transactions. Transactions will help determine if a valid input can
+    currently be decoded with the data currently available on an asynchronous
+    device, but will assume that the data that is available is correctly
+    formed.
+
+    Additionally, many QDataStream demarshalling operators will allocate memory
+    based on information found in the stream. Those operators perform no
+    verification on whether the requested amount of memory is reasonable or if
+    it is compatible with the amount of data available in the stream (example:
+    demarshalling a QByteArray or QString may see the request for allocation of
+    several gigabytes of data).
+
+    QDataStream should not be used on content whose provenance cannot be
+    trusted. Applications should be designed to attempt to decode only streams
+    whose provenance is at least as trustworthy as that of the application
+    itself or its plugins.
+
    \sa QTextStream, QVariant
 */