Mark string view classes as security-critical

QString and QByteArray are critical, too, and not because of their ownership semantics, but because of the algorithms operating on them. The views have largely the same algorithms, so the same rationale applies here. Unlike the owning containers, the views are mostly inline, so mark the headers. The implementation files, OTOH, are not critical, because they contain only trivial implementation: - QDebug op<< (qanystringview.cpp) - none (qstringview.cpp) The qdoc files, some of which have in the past moved from qdoc to cpp and/or back, are insignificant reason:docs. Task-number: QTBUG-135195 Pick-to: 6.10.0 6.10 6.9 6.8 Change-Id: Ic7874d5d28a966be52813ada36e65f488e6fb653 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
2025-09-10 10:41:44 +02:00 · 2025-09-10 10:41:44 +02:00 · 9efcf14572
parent 6ee4f40d53
commit 9efcf14572
10 changed files with 10 additions and 0 deletions
--- a/src/corelib/text/qanystringview.cpp
+++ b/src/corelib/text/qanystringview.cpp
@ -1,5 +1,6 @@
 // Copyright (C) 2020 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Marc Mutz <marc.mutz@kdab.com>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:sensitive reason:trivial-impl-only

 #include "qanystringview.h"
 #include "qdebug.h"
--- a/src/corelib/text/qanystringview.h
+++ b/src/corelib/text/qanystringview.h
@ -1,6 +1,7 @@
 // Copyright (C) 2022 The Qt Company Ltd.
 // Copyright (C) 2020 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Marc Mutz <marc.mutz@kdab.com>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 #ifndef QANYSTRINGVIEW_H
 #define QANYSTRINGVIEW_H

--- a/src/corelib/text/qbytearrayview.h
+++ b/src/corelib/text/qbytearrayview.h
@ -1,5 +1,6 @@
 // Copyright (C) 2021 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 #ifndef QBYTEARRAYVIEW_H
 #define QBYTEARRAYVIEW_H

--- a/src/corelib/text/qbytearrayview.qdoc
+++ b/src/corelib/text/qbytearrayview.qdoc
@ -1,5 +1,6 @@
 // Copyright (C) 2022 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GFDL-1.3-no-invariants-only
+// Qt-Security score:insignificant reason:docs

 /*!
    \class QByteArrayView
--- a/src/corelib/text/qlatin1stringview.h
+++ b/src/corelib/text/qlatin1stringview.h
@ -3,6 +3,7 @@
 // Copyright (C) 2019 Mail.ru Group.
 // Copyright (C) 2020 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Marc Mutz <marc.mutz@kdab.com>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser

 #ifndef QLATIN1STRINGVIEW_H
 #define QLATIN1STRINGVIEW_H
--- a/src/corelib/text/qlatin1stringview.qdoc
+++ b/src/corelib/text/qlatin1stringview.qdoc
@ -2,6 +2,7 @@
 // Copyright (C) 2022 Intel Corporation.
 // Copyright (C) 2019 Mail.ru Group.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GFDL-1.3-no-invariants-only
+// Qt-Security score:insignificant reason:docs

 /*! \class QLatin1StringView
    \inmodule QtCore
--- a/src/corelib/text/qstringview.cpp
+++ b/src/corelib/text/qstringview.cpp
@ -1,5 +1,6 @@
 // Copyright (C) 2017 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Marc Mutz <marc.mutz@kdab.com>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:sensitive reason:docs-only

 #include "qstringview.h"

--- a/src/corelib/text/qstringview.h
+++ b/src/corelib/text/qstringview.h
@ -1,6 +1,7 @@
 // Copyright (C) 2020 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Marc Mutz <marc.mutz@kdab.com>
 // Copyright (C) 2019 Mail.ru Group.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 #ifndef QSTRINGVIEW_H
 #define QSTRINGVIEW_H

--- a/src/corelib/text/qutf8stringview.h
+++ b/src/corelib/text/qutf8stringview.h
@ -1,5 +1,6 @@
 // Copyright (C) 2020 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Marc Mutz <marc.mutz@kdab.com>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 #ifndef QUTF8STRINGVIEW_H
 #define QUTF8STRINGVIEW_H

--- a/src/corelib/text/qutf8stringview.qdoc
+++ b/src/corelib/text/qutf8stringview.qdoc
@ -1,5 +1,6 @@
 // Copyright (C) 2020 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Marc Mutz <marc.mutz@kdab.com>
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GFDL-1.3-no-invariants-only
+// Qt-Security score:sensitive reason:docs

 /*!
    \class QUtf8StringView