W3C home > Mailing lists > Public > public-rdf-dawg@w3.org > January to March 2005

Re: SPARQL Protocol for RDF / feedback (fwd)

From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Date: Wed, 26 Jan 2005 07:38:25 -0800 (PST)
To: "Seaborne, Andy" <andy.seaborne@hp.com>
cc: public-rdf-dawg@w3.org
Message-ID: <20050126073038.J96832@skutsje.san.webweaving.org>



On Wed, 26 Jan 2005, Seaborne, Andy wrote:

> Thanks for the comments - I found them helpful and a bit scary where it talks
> about the issues around long URLs and security tools.

These producs are not exactly refined - i.e. they just look for thiings
like:

->	Very long URI's aimed at buffer overruns.
->	Too many spaces or 0x90 in the URI (buffer overruns too)
->	Things which look like SQL or Access/VBScript (bad code which does
	not escape properly so that SQL constructed on the fly makes it
	to the DB or to the stored procedure/scripting realm)
->	UTF8 or Unicode escape sequences in the ? part (mostly
	for cross site scripting and phising).

and block these. Having said that -even- things like apache cut things off
at 8k for any line or field - and it is common to reduce this.

Dw

193.252.28.6 - - [10/Jan/2005:06:26:04 +0100] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 403 - "-" "-"
80.110.204.152 - - [10/Jan/2005:19:40:17 +0100] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1!
 \x02\xb1\x
Received on Wednesday, 26 January 2005 15:42:50 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 16:15:22 GMT