W3C home > Mailing lists > Public > public-rdf-dawg@w3.org > April to June 2009

Re: Security Concerns section added to Query_by_reference

From: Gregory Williams <greg@evilfunhouse.com>
Date: Tue, 7 Apr 2009 09:35:56 -0400
Cc: RDF Data Access Working Group <public-rdf-dawg@w3.org>
Message-Id: <DFC0D8BF-E0BF-4AC0-B0F0-86EA67233D69@evilfunhouse.com>
To: Steve Harris <steve.harris@garlik.com>
On Apr 7, 2009, at 8:01 AM, Steve Harris wrote:

> OK, here's one example:
>
> Imagine a corporate system, inside a firewall, hosting a number of  
> services, and a SPARQL endpoint. There's a hole/bridge through the  
> firewall to allow outside people to connect to the SPARQL store and  
> issue approved queries by reference.
>
> The systems inside the firewall are all in secure.example, eg.  
> sparql.secure.example, and services1.secure.example.
>
> The SPARQL store is configured to only accept references from  
> services1.secure.example, a machine that uses SPARQL to provide  
> services.
>
> An attacker issues a request like ?query-ref=http://services1.secure.example/service/delete-all
>
> As far as the SPARQL endpoint is concerned, that's legitimate, so it  
> might reasonably try and dereference that URI (which is obviously a  
> bad idea to a human).

I'm still not getting how this is different from using a "FROM <http://services1.secure.example/service/delete-all 
 >" clause in the SPARQL query? The underlying problem here seems to  
me to be the existence of a HTTP GET operation that is deleting data,  
and which could be triggered by a FROM clause, a query-ref URI, or  
even a malicious webpage loaded from inside the firewall. Surely any  
security measures you take with regard to FROM clauses can be applied  
to query-ref URIs?

.greg
Received on Tuesday, 7 April 2009 13:36:43 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 16:15:38 GMT