From ffc55b734d5c1da152e608c0205783a27fbe2f9e Mon Sep 17 00:00:00 2001 From: Laszlo Agocs Date: Mon, 10 Mar 2025 15:21:52 +0100 Subject: [PATCH] Add trusted content notes to QOpenGLShader(Program) Pick-to: 6.8 Change-Id: I089044e6834ebbb992b36c898eb956959f430522 Reviewed-by: Andy Nichols (cherry picked from commit f9a625eb8c774643a8e8a5ff9548634e34bf4fe0) Reviewed-by: Qt Cherry-pick Bot --- src/opengl/qopenglshaderprogram.cpp | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/opengl/qopenglshaderprogram.cpp b/src/opengl/qopenglshaderprogram.cpp index 250851134ac..23e6de59b1a 100644 --- a/src/opengl/qopenglshaderprogram.cpp +++ b/src/opengl/qopenglshaderprogram.cpp @@ -110,6 +110,17 @@ using namespace Qt::StringLiterals; they advertise the extension or offer OpenGL ES 3.0. In this case program binary support will be disabled. + \section1 Security Considerations + + All data consumed by QOpenGLShaderProgram is expected to be trusted content. + Shader source code is passed, possibly after minimal modifications, on to + the underlying OpenGL implementation's compiler, which is a black box from + Qt's perspective. + + \warning Application developers are advised to carefully consider the + potential implications before passing in user-provided content to functions + such as addShaderFromSourceFile(). + \sa QOpenGLShader */ @@ -126,6 +137,15 @@ using namespace Qt::StringLiterals; QOpenGLShader and QOpenGLShaderProgram shelter the programmer from the details of compiling and linking vertex and fragment shaders. + All data consumed by QOpenGLShader is expected to be trusted content. Shader + source code is passed, possibly after minimal modifications, on to the + underlying OpenGL implementation's compiler, which is a black box from Qt's + perspective. + + \warning Application developers are advised to carefully consider the + potential implications before passing in user-provided content to functions + such as compileSourceFile(). + \sa QOpenGLShaderProgram */