From d7d2c95eca118aa1815ccb4fe3e08dfd3a438c1b Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Tue, 11 Mar 2025 11:50:30 +0100
Subject: [PATCH] Mark QByteArray and QString as security-critical

These classes are usually the first line of defense, containing
tainted data before anything else had the chance the verify it.

Amends 8df072fc8006510c9b743e8ffedaaf51a876883a.

QUIP: 23
Task-number: QTBUG-135195
Pick-to: 6.8
Change-Id: I91413e022b9794e21b6816b80962f5169ce8cd78
Reviewed-by: Matthias Rauter <matthias.rauter@qt.io>
(cherry picked from commit ef8d3e91d88e886cb12ccee9604e561b7699072b)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/corelib/text/qbytearray.cpp | 1 +
 src/corelib/text/qbytearray.h   | 1 +
 src/corelib/text/qstring.cpp    | 1 +
 src/corelib/text/qstring.h      | 1 +
 4 files changed, 4 insertions(+)

diff --git a/src/corelib/text/qbytearray.cpp b/src/corelib/text/qbytearray.cpp
index 38aefde18d0..10c61d97ff7 100644
--- a/src/corelib/text/qbytearray.cpp
+++ b/src/corelib/text/qbytearray.cpp
@@ -2,6 +2,7 @@
 // Copyright (C) 2016 Intel Corporation.
 // Copyright (C) 2019 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #include "qbytearray.h"
 #include "qbytearraymatcher.h"
diff --git a/src/corelib/text/qbytearray.h b/src/corelib/text/qbytearray.h
index f6d626e9a49..552b3fa5937 100644
--- a/src/corelib/text/qbytearray.h
+++ b/src/corelib/text/qbytearray.h
@@ -1,6 +1,7 @@
 // Copyright (C) 2022 The Qt Company Ltd.
 // Copyright (C) 2016 Intel Corporation.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #ifndef QBYTEARRAY_H
 #define QBYTEARRAY_H
diff --git a/src/corelib/text/qstring.cpp b/src/corelib/text/qstring.cpp
index f40cd1910e9..1d99f204ea6 100644
--- a/src/corelib/text/qstring.cpp
+++ b/src/corelib/text/qstring.cpp
@@ -2,6 +2,7 @@
 // Copyright (C) 2022 Intel Corporation.
 // Copyright (C) 2019 Mail.ru Group.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #include "qstringlist.h"
 #if QT_CONFIG(regularexpression)
diff --git a/src/corelib/text/qstring.h b/src/corelib/text/qstring.h
index 0cf01ff2c3a..bbd137e809d 100644
--- a/src/corelib/text/qstring.h
+++ b/src/corelib/text/qstring.h
@@ -3,6 +3,7 @@
 // Copyright (C) 2019 Mail.ru Group.
 // Copyright (C) 2020 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Marc Mutz <marc.mutz@kdab.com>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #ifndef QSTRING_H
 #define QSTRING_H