diff options
| author | Thiago Macieira <[email protected]> | 2023-12-13 11:37:48 -0300 |
|---|---|---|
| committer | Qt Cherry-pick Bot <[email protected]> | 2023-12-22 03:27:26 +0000 |
| commit | b7792d9b81a3b72c0e1604683557f59372b2d08f (patch) | |
| tree | ffc8535337bb3befd76b90704656208184821048 | |
| parent | 27c8d61e9da3e2299bddb7cc3c4190477b12f4d2 (diff) | |
QDataStream & QResource: document their lack of security-hardening
Fixes: QTBUG-120012
Task-number: QTBUG-119178
Change-Id: I6e2677aad2ab45759db2fffd17a06af730e320d6
Reviewed-by: Ievgenii Meshcheriakov <[email protected]>
Reviewed-by: Volker Hilsheimer <[email protected]>
(cherry picked from commit e696bec76e4f852cb28f27c50c95d3504fba559e)
Reviewed-by: Qt Cherry-pick Bot <[email protected]>
(cherry picked from commit 60d60dba77f77d603b42b7a42c9f5c9aec280e89)
(cherry picked from commit 06618fbebe7f57152787689fde134fef5105c0ed)
| -rw-r--r-- | src/corelib/io/qresource.cpp | 13 | ||||
| -rw-r--r-- | src/corelib/serialization/qdatastream.cpp | 21 |
2 files changed, 34 insertions, 0 deletions
diff --git a/src/corelib/io/qresource.cpp b/src/corelib/io/qresource.cpp index 70aecc0ff98..b84727db9d7 100644 --- a/src/corelib/io/qresource.cpp +++ b/src/corelib/io/qresource.cpp @@ -233,6 +233,19 @@ static inline ResourceList *resourceList() itself will be unmapped from memory when the last QResource that points to it is destroyed. + \section2 Corruption and Security + + The QResource class performs some checks on the file passed to determine + whether it is supported by the current version of Qt. Those tests are only + to check the file header does not request features (such as Zstandard + decompression) that have not been compiled in or that the file is not of a + future version of Qt. They do not confirm the validity of the entire file. + + QResource should not be used on files whose provenance cannot be trusted. + Applications should be designed to attempt to load only resource files + whose provenance is at least as trustworthy as that of the application + itself or its plugins. + \sa {The Qt Resource System}, QFile, QDir, QFileInfo */ diff --git a/src/corelib/serialization/qdatastream.cpp b/src/corelib/serialization/qdatastream.cpp index f2464e4d048..6319269d41f 100644 --- a/src/corelib/serialization/qdatastream.cpp +++ b/src/corelib/serialization/qdatastream.cpp @@ -164,6 +164,27 @@ QT_BEGIN_NAMESPACE If no full packet is received, this code restores the stream to the initial position, after which you need to wait for more data to arrive. + \section1 Corruption and Security + + QDataStream is not resilient against corrupted data inputs and should + therefore not be used for security-sensitive situations, even when using + transactions. Transactions will help determine if a valid input can + currently be decoded with the data currently available on an asynchronous + device, but will assume that the data that is available is correctly + formed. + + Additionally, many QDataStream demarshalling operators will allocate memory + based on information found in the stream. Those operators perform no + verification on whether the requested amount of memory is reasonable or if + it is compatible with the amount of data available in the stream (example: + demarshalling a QByteArray or QString may see the request for allocation of + several gigabytes of data). + + QDataStream should not be used on content whose provenance cannot be + trusted. Applications should be designed to attempt to decode only streams + whose provenance is at least as trustworthy as that of the application + itself or its plugins. + \sa QTextStream, QVariant */ |