Add trusted content notes to QOpenGLShader(Program)

Pick-to: 6.9 6.8 Change-Id: I089044e6834ebbb992b36c898eb956959f430522 Reviewed-by: Andy Nichols <andy.nichols@qt.io>
2025-03-10 15:21:52 +01:00 · 2025-03-10 15:21:52 +01:00 · f9a625eb8c
commit f9a625eb8c
parent 8612bd8345
1 changed files with 20 additions and 0 deletions
--- a/src/opengl/qopenglshaderprogram.cpp
+++ b/src/opengl/qopenglshaderprogram.cpp
@ -110,6 +110,17 @@ using namespace Qt::StringLiterals;
    they advertise the extension or offer OpenGL ES 3.0. In this case program
    binary support will be disabled.

+    \section1 Security Considerations
+
+    All data consumed by QOpenGLShaderProgram is expected to be trusted content.
+    Shader source code is passed, possibly after minimal modifications, on to
+    the underlying OpenGL implementation's compiler, which is a black box from
+    Qt's perspective.
+
+    \warning Application developers are advised to carefully consider the
+    potential implications before passing in user-provided content to functions
+    such as addShaderFromSourceFile().
+
    \sa QOpenGLShader
 */

@ -126,6 +137,15 @@ using namespace Qt::StringLiterals;
    QOpenGLShader and QOpenGLShaderProgram shelter the programmer from the details of
    compiling and linking vertex and fragment shaders.

+    All data consumed by QOpenGLShader is expected to be trusted content. Shader
+    source code is passed, possibly after minimal modifications, on to the
+    underlying OpenGL implementation's compiler, which is a black box from Qt's
+    perspective.
+
+    \warning Application developers are advised to carefully consider the
+    potential implications before passing in user-provided content to functions
+    such as compileSourceFile().
+
    \sa QOpenGLShaderProgram
 */