| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We assume that QML or JS code comes from a trusted source. Therefore,
most files are deemed to be significant even if they parse data. This
includes the source code itself but also the associated metadata or
cache files.
However, the QML compiler also generates C++ code. Extra care needs to
be taken with the generator as a vulnerability there could propagate and
have a disproportionate effect on the program's security. It is marked
as critical.
QUIP: 23
Fixes: QTBUG-136195
Pick-to: 6.10 6.9 6.8
Change-Id: I70630361ec8e9cb3969f78a3fdf36a41334a33b3
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
|
| |
|
|
|
| |
Change-Id: Ia3dc17a31856047b9fd7c5da89320c7234847a59
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
|
|
This patch adds abstractions for QML Elements, Bindings, Methods and
Properties. This abstraction layer avoids exposing internal details and
should be more suited for static analysis tasks. It is now possible to
write qmllint plugins without including private headers.
As a drive-by, change tst_qmllint:verifyJsRoot to open files in text
mode instead of binary. This fixes an issue where line endings cause
issues on Windows.
Fixes: QTBUG-102276
Change-Id: I6b6e53f1e0078734a18f3aa51807fbe875b375f0
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
|
