From c4f2d637999f290d601df4343bc563b35d829e79 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Tue, 11 Mar 2025 11:50:30 +0100
Subject: [PATCH] Mark QXmlStream{Reader,Writer} as security-critical
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If QXmlStream isn't security-criticial, what is?

qxmlstream.h contains the definition of the QXmlString work-horse, so
it has to be security-critical, too (until we remove it).

Amends 8df072fc8006510c9b743e8ffedaaf51a876883a.

QUIP: 23
Task-number: QTBUG-135194
Pick-to: 6.8
Change-Id: Ib366e63fb89aa0b69ad437f6688285b2c390c5c1
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: Kai Köhne <kai.koehne@qt.io>
(cherry picked from commit 0a7ee06b27c55f10b65b053cabdc893ae8f23893)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/corelib/serialization/qxmlstream.cpp        | 1 +
 src/corelib/serialization/qxmlstream.g          | 2 ++
 src/corelib/serialization/qxmlstream.h          | 1 +
 src/corelib/serialization/qxmlstream_p.h        | 1 +
 src/corelib/serialization/qxmlstreamgrammar.cpp | 1 +
 src/corelib/serialization/qxmlstreamgrammar_p.h | 1 +
 src/corelib/serialization/qxmlstreamparser_p.h  | 1 +
 7 files changed, 8 insertions(+)

diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
index 7e14b098de9..00b51612688 100644
--- a/src/corelib/serialization/qxmlstream.cpp
+++ b/src/corelib/serialization/qxmlstream.cpp
@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #include "QtCore/qxmlstream.h"
 
diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
index d1e3e182e26..853945439f1 100644
--- a/src/corelib/serialization/qxmlstream.g
+++ b/src/corelib/serialization/qxmlstream.g
@@ -1,5 +1,6 @@
 -- Copyright (C) 2020 The Qt Company Ltd.
 -- SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+-- Qt-Security score:critical reason:data-parser
 
 %parser QXmlStreamGrammar
 %impl           qxmlstreamparser_p.h
@@ -111,6 +112,7 @@
 
 /.// Copyright (C) 2020 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 
 //
diff --git a/src/corelib/serialization/qxmlstream.h b/src/corelib/serialization/qxmlstream.h
index 71294cb6bc9..2d761935f24 100644
--- a/src/corelib/serialization/qxmlstream.h
+++ b/src/corelib/serialization/qxmlstream.h
@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #ifndef QXMLSTREAM_H
 #define QXMLSTREAM_H
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
index f5695dd6670..e4c9dbe4048 100644
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 //
 //  W A R N I N G
diff --git a/src/corelib/serialization/qxmlstreamgrammar.cpp b/src/corelib/serialization/qxmlstreamgrammar.cpp
index 074b9023cee..b2e5249d24e 100644
--- a/src/corelib/serialization/qxmlstreamgrammar.cpp
+++ b/src/corelib/serialization/qxmlstreamgrammar.cpp
@@ -1,5 +1,6 @@
 // Copyright (C) 2020 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 // This file was generated by qlalr - DO NOT EDIT!
 #include "qxmlstreamgrammar_p.h"
diff --git a/src/corelib/serialization/qxmlstreamgrammar_p.h b/src/corelib/serialization/qxmlstreamgrammar_p.h
index 80ee8e929f5..140e3d52bc5 100644
--- a/src/corelib/serialization/qxmlstreamgrammar_p.h
+++ b/src/corelib/serialization/qxmlstreamgrammar_p.h
@@ -1,5 +1,6 @@
 // Copyright (C) 2020 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 //
 //  W A R N I N G
diff --git a/src/corelib/serialization/qxmlstreamparser_p.h b/src/corelib/serialization/qxmlstreamparser_p.h
index 4bdcd77f3e1..c62080b0a13 100644
--- a/src/corelib/serialization/qxmlstreamparser_p.h
+++ b/src/corelib/serialization/qxmlstreamparser_p.h
@@ -1,5 +1,6 @@
 // Copyright (C) 2020 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 
 //