From 22df353c14800d2e9b6d57a9a0cb9c6baa337999 Mon Sep 17 00:00:00 2001 From: Fabian Kosmale Date: Tue, 26 Aug 2025 17:35:24 +0200 Subject: CRA review qml/jsruntime MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This relies heavily on the documented fact that we only support trusted QML/JS content, meaning most files are only significant, not critical. This also extends to the handling of qmlc files (as in compilationunitmapper), as we store them in a user owned, non-shared cache directory – so any vulnerability there would already mean that an attacker has write-priviledges on user data. An exception is ArrayBuffer, which can be used with arbitrary user data, and should create a valid QBA. Fixes: QTBUG-136970 Pick-to: 6.10 6.9 6.8 QUIP: 23 Change-Id: I22033fe6ab4acf8362a8183e25b92331d45cb32c Reviewed-by: Ulf Hermann --- src/qml/jsruntime/qv4functiontable_unix.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'src/qml/jsruntime/qv4functiontable_unix.cpp') diff --git a/src/qml/jsruntime/qv4functiontable_unix.cpp b/src/qml/jsruntime/qv4functiontable_unix.cpp index 9561917777..337700d55e 100644 --- a/src/qml/jsruntime/qv4functiontable_unix.cpp +++ b/src/qml/jsruntime/qv4functiontable_unix.cpp @@ -1,5 +1,6 @@ // Copyright (C) 2017 The Qt Company Ltd. // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:significant #include "qv4functiontable_p.h" #include "qv4function_p.h" -- cgit v1.2.3