From 60d60dba77f77d603b42b7a42c9f5c9aec280e89 Mon Sep 17 00:00:00 2001
From: Thiago Macieira <thiago.macieira@intel.com>
Date: Wed, 13 Dec 2023 11:37:48 -0300
Subject: [PATCH] QDataStream & QResource: document their lack of
 security-hardening

Pick-to: 6.6 6.5
Fixes: QTBUG-120012
Task-number: QTBUG-119178
Change-Id: I6e2677aad2ab45759db2fffd17a06af730e320d6
Reviewed-by: Ievgenii Meshcheriakov <ievgenii.meshcheriakov@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit e696bec76e4f852cb28f27c50c95d3504fba559e)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/corelib/io/qresource.cpp              | 13 +++++++++++++
 src/corelib/serialization/qdatastream.cpp | 21 +++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/src/corelib/io/qresource.cpp b/src/corelib/io/qresource.cpp
index 1bdcf246bee..e3b09e7cbd6 100644
--- a/src/corelib/io/qresource.cpp
+++ b/src/corelib/io/qresource.cpp
@@ -233,6 +233,19 @@ static inline ResourceList *resourceList()
     itself will be unmapped from memory when the last QResource that points
     to it is destroyed.
 
+    \section2 Corruption and Security
+
+    The QResource class performs some checks on the file passed to determine
+    whether it is supported by the current version of Qt. Those tests are only
+    to check the file header does not request features (such as Zstandard
+    decompression) that have not been compiled in or that the file is not of a
+    future version of Qt. They do not confirm the validity of the entire file.
+
+    QResource should not be used on files whose provenance cannot be trusted.
+    Applications should be designed to attempt to load only resource files
+    whose provenance is at least as trustworthy as that of the application
+    itself or its plugins.
+
     \sa {The Qt Resource System}, QFile, QDir, QFileInfo
 */
 
diff --git a/src/corelib/serialization/qdatastream.cpp b/src/corelib/serialization/qdatastream.cpp
index 11236c14f15..171d29f529c 100644
--- a/src/corelib/serialization/qdatastream.cpp
+++ b/src/corelib/serialization/qdatastream.cpp
@@ -164,6 +164,27 @@ QT_BEGIN_NAMESPACE
     If no full packet is received, this code restores the stream to the
     initial position, after which you need to wait for more data to arrive.
 
+    \section1 Corruption and Security
+
+    QDataStream is not resilient against corrupted data inputs and should
+    therefore not be used for security-sensitive situations, even when using
+    transactions. Transactions will help determine if a valid input can
+    currently be decoded with the data currently available on an asynchronous
+    device, but will assume that the data that is available is correctly
+    formed.
+
+    Additionally, many QDataStream demarshalling operators will allocate memory
+    based on information found in the stream. Those operators perform no
+    verification on whether the requested amount of memory is reasonable or if
+    it is compatible with the amount of data available in the stream (example:
+    demarshalling a QByteArray or QString may see the request for allocation of
+    several gigabytes of data).
+
+    QDataStream should not be used on content whose provenance cannot be
+    trusted. Applications should be designed to attempt to decode only streams
+    whose provenance is at least as trustworthy as that of the application
+    itself or its plugins.
+
     \sa QTextStream, QVariant
 */