W3C home > Mailing lists > Public > public-rdf-dawg@w3.org > October to December 2005

Re: query by reference

From: Seaborne, Andy <andy.seaborne@hp.com>
Date: Wed, 16 Nov 2005 13:56:11 +0000
Message-ID: <437B3A7B.30103@hp.com>
To: dawg mailing list <public-rdf-dawg@w3.org>



Steve Harris wrote:
> On Tue, Nov 15, 2005 at 04:43:42PM -0500, Kendall Clark wrote:
> 
>>I'd like to propose adding that back to the protocol design.  
>>Basically we're talking about adding another parameter (in HTTP),  
>>"query-uri", the value of which would be a URI which, when  
>>dereferenced, would return a representation of a SPARQL query  
>>resource. That would add a third way to "convey a query" to a SPARQL  
>>query service:
> 
> 
> Sounds good to me.
>  
> 
>>a. POSTing a urlencoded query in the body of an HTTP request
>>b. serializing a query in a URI (in the 'query' parameter)
>>c. 'pointing' at a query on the Web and asking the service to deref  
>>and execute it
>>
>>I don't believe this opens any additional security or implementation  
>>burdens since:
>>
>>- we already allow arbitrary URIs to be deref'd to load data
>>
>>- whatever sanity checks one would implement (or specify) re:  
>>executing an arbitrary SPARQL query conveyed via (a) or (b) also  
>>apply to (c), and I don't believe (c) adds any additional constraints  
>>or holes (but I'm *not* a security expert)...
> 
> 
> I agree, but its not that simple. My understanding is that is OK by the
> spec. for services not to treat FROM etc. as an instruction to load, and I
> hope that publically accessible sites will, whereas a complaint impl.
> would have to dereference the query-uri to find what it had to run.
> However, if there is a limit of one query-uri paramter then there is a 1:1
> trade in requests, which is not too much of a security issue (the attacker
> may as well have issued the request to the third party itsself, it just
> adds a bit of obfuscation).
> 
> PS incase anyone wonders why I'm so bothered about this, I have a vision
>    of the future where SPARQL's FROM becomes the most popular vector for
>    denial of service attacks... people'd really love us then.
> 
> - Steve (also *not* a security expert)

Good point.  Will a compliant imnplementation be free to not support 
query-uri?  And dataset description in the protocol request and query?

2.1.2 says:

"""
The RDF dataset may be specified either in a [SPARQL] query using FROM and 
FROM NAMED keywords; or it may be specified in the protocol described in this 
document; or it may be specified in both the query string and in the protocol.
"""
and it depends if that list is interpreted exclusively.  Elsewhere it says 
"zero or one dataset descriptions" but it is mid-paragraph.

I suggest inserting at the start of that para: "If an RDF Dataset description 
is included in a request, it may be specificed ...."

And similar text around "query-uri".

	Andy
Received on Wednesday, 16 November 2005 13:56:17 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 16:15:24 GMT