diff --git a/src/gui/rhi/qrhi.cpp b/src/gui/rhi/qrhi.cpp index 01b9a5ffab5..40945b1b5ad 100644 --- a/src/gui/rhi/qrhi.cpp +++ b/src/gui/rhi/qrhi.cpp @@ -149,6 +149,17 @@ Q_STATIC_LOGGING_CATEGORY(QRHI_LOG_RUB, "qt.rhi.rub") Tools module offers build system integration for CMake, the \c qt_add_shaders() CMake function, that can achieve the same at build time. + \section1 Security Considerations + + All data consumed by QRhi and related classes such as QShader are considered + trusted content. + + \warning Application developers are advised to carefully consider the + potential implications before allowing the feeding of user-provided content + that is not part of the application and is not under the developers' + control. (this includes all vertex/index data, shaders, pipeline and draw + call parameters, etc.) + \section1 Design Fundamentals A QRhi cannot be instantiated directly. Instead, use the create() @@ -10731,6 +10742,11 @@ QByteArray QRhi::pipelineCacheData() called at a low frequency, ideally only once e.g. when starting the application. + \warning Serialized pipeline cache data is assumed to be trusted content. Qt + performs robust parsing of the header and metadata included in \a data, + application developers are however advised to never pass in data from + untrusted sources. + \sa pipelineCacheData(), isFeatureSupported() */ void QRhi::setPipelineCacheData(const QByteArray &data) diff --git a/src/gui/rhi/qshader.cpp b/src/gui/rhi/qshader.cpp index 9bb8c294ea5..2f413825189 100644 --- a/src/gui/rhi/qshader.cpp +++ b/src/gui/rhi/qshader.cpp @@ -537,6 +537,11 @@ static void readShaderKey(QDataStream *ds, QShaderKey *k) If \a data cannot be deserialized successfully, the result is a default constructed QShader for which isValid() returns \c false. + \warning Shader packages, including \c{.qsb} files in the filesystem, are + assumed to be trusted content. Application developers are advised to + carefully consider the potential implications before allowing the loading of + user-provided content that is not part of the application. + \sa serialized() */ QShader QShader::fromSerialized(const QByteArray &data)