diff options
| author | Fabian Kosmale <fabian.kosmale@qt.io> | 2025-08-26 17:35:24 +0200 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2025-09-18 21:28:04 +0000 |
| commit | f124a3bef4dba872358febfd7c165037a8c99049 (patch) | |
| tree | 51536a16017b73ededa429ce6bb6ff60f2c58918 /src/qml/jsruntime/qv4functiontable_unix.cpp | |
| parent | 45be501c9a688db9b5f46ab88ae06fb6ea3f8071 (diff) | |
CRA review qml/jsruntime
This relies heavily on the documented fact that we only support trusted
QML/JS content, meaning most files are only significant, not critical.
This also extends to the handling of qmlc files (as in
compilationunitmapper), as we store them in a user owned, non-shared
cache directory – so any vulnerability there would already mean that an
attacker has write-priviledges on user data.
An exception is ArrayBuffer, which can be used with arbitrary user data,
and should create a valid QBA.
Fixes: QTBUG-136970
Pick-to: 6.9 6.8
QUIP: 23
Change-Id: I22033fe6ab4acf8362a8183e25b92331d45cb32c
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit 22df353c14800d2e9b6d57a9a0cb9c6baa337999)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Diffstat (limited to 'src/qml/jsruntime/qv4functiontable_unix.cpp')
| -rw-r--r-- | src/qml/jsruntime/qv4functiontable_unix.cpp | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/qml/jsruntime/qv4functiontable_unix.cpp b/src/qml/jsruntime/qv4functiontable_unix.cpp index 9561917777..337700d55e 100644 --- a/src/qml/jsruntime/qv4functiontable_unix.cpp +++ b/src/qml/jsruntime/qv4functiontable_unix.cpp @@ -1,5 +1,6 @@ // Copyright (C) 2017 The Qt Company Ltd. // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:significant #include "qv4functiontable_p.h" #include "qv4function_p.h" |