Add trusted content notes to QOpenGLShader(Program)

Pick-to: 6.9 6.8
Change-Id: I089044e6834ebbb992b36c898eb956959f430522
Reviewed-by: Andy Nichols <[email protected]>

1 files changed, 20 insertions, 0 deletions

diff --git a/src/opengl/qopenglshaderprogram.cpp b/src/opengl/qopenglshaderprogram.cpp
index 250851134ac..23e6de59b1a 100644
--- a/src/opengl/qopenglshaderprogram.cpp
+++ b/src/opengl/qopenglshaderprogram.cpp
@@ -110,6 +110,17 @@ using namespace Qt::StringLiterals;
     they advertise the extension or offer OpenGL ES 3.0. In this case program
     binary support will be disabled.
 
+    \section1 Security Considerations
+
+    All data consumed by QOpenGLShaderProgram is expected to be trusted content.
+    Shader source code is passed, possibly after minimal modifications, on to
+    the underlying OpenGL implementation's compiler, which is a black box from
+    Qt's perspective.
+
+    \warning Application developers are advised to carefully consider the
+    potential implications before passing in user-provided content to functions
+    such as addShaderFromSourceFile().
+
     \sa QOpenGLShader
 */
 
@@ -126,6 +137,15 @@ using namespace Qt::StringLiterals;
     QOpenGLShader and QOpenGLShaderProgram shelter the programmer from the details of
     compiling and linking vertex and fragment shaders.
 
+    All data consumed by QOpenGLShader is expected to be trusted content. Shader
+    source code is passed, possibly after minimal modifications, on to the
+    underlying OpenGL implementation's compiler, which is a black box from Qt's
+    perspective.
+
+    \warning Application developers are advised to carefully consider the
+    potential implications before passing in user-provided content to functions
+    such as compileSourceFile().
+
     \sa QOpenGLShaderProgram
 */