Add trusted content notes to QOpenGLShader(Program)

alpqr · alpqr · commit f9a625eb8c77 · 2025-03-11T13:54:48.000+01:00
Pick-to: 6.9 6.8
Change-Id: I089044e6834ebbb992b36c898eb956959f430522
Reviewed-by: Andy Nichols &lt;andy.nichols@qt.io&gt;
diff --git a/src/opengl/qopenglshaderprogram.cpp b/src/opengl/qopenglshaderprogram.cpp
@@ -110,6 +110,17 @@ using namespace Qt::StringLiterals;
     they advertise the extension or offer OpenGL ES 3.0. In this case program
     binary support will be disabled.
 
+    \section1 Security Considerations
+
+    All data consumed by QOpenGLShaderProgram is expected to be trusted content.
+    Shader source code is passed, possibly after minimal modifications, on to
+    the underlying OpenGL implementation's compiler, which is a black box from
+    Qt's perspective.
+
+    \warning Application developers are advised to carefully consider the
+    potential implications before passing in user-provided content to functions
+    such as addShaderFromSourceFile().
+
     \sa QOpenGLShader
 */
 
@@ -126,6 +137,15 @@ using namespace Qt::StringLiterals;
     QOpenGLShader and QOpenGLShaderProgram shelter the programmer from the details of
     compiling and linking vertex and fragment shaders.
 
+    All data consumed by QOpenGLShader is expected to be trusted content. Shader
+    source code is passed, possibly after minimal modifications, on to the
+    underlying OpenGL implementation's compiler, which is a black box from Qt's
+    perspective.
+
+    \warning Application developers are advised to carefully consider the
+    potential implications before passing in user-provided content to functions
+    such as compileSourceFile().
+
     \sa QOpenGLShaderProgram
 */
 
