W3C home > Mailing lists > Public > public-rdf-dawg@w3.org > July to September 2011

Re: Followup to RC-4

From: Steve Harris <steve.harris@garlik.com>
Date: Tue, 27 Sep 2011 21:58:19 +0100
Cc: SPARQL Working Group <public-rdf-dawg@w3.org>
Message-Id: <3DD97D22-DB04-42B8-B9C4-41163B89814E@garlik.com>
To: Paul Gearon <pgearon@revelytix.com>
On 27 Sep 2011, at 19:25, Paul Gearon wrote:

> I don't know the process for modifying a document after Last Call, so
> I'm asking the list here.
> In Richard's email of RC-4 [1], he expresses concern that a harmful
> update operation may be embedded in a query:
>> The risk is that a) users can be tricked into running harmful queries, and b) software that uses
>> heuristics to detect queries with potential security impact will be less likely to work.
>> This may have been ok in SPARQL 1.0, but with the addition of SPARQL UPDATE this is an unacceptable risk.
>> I am surprised that the security issues arising from obfuscation through string escaping are not
>> stated in the Security Considerations sections of SPARQL Query and SPARQL Update.
> Andy has adequately addressed this concern by pointing out that Query
> and Update are two separate languages. However, since it is possible
> for an implementation to offer both services at one endpoint, I think
> it would be worthwhile explaining the risk in the "Security
> Considerations (Informative)" section of SPARQL Update.
> My proposed text is:
> ---
> While SPARQL Update and SPARQL Query are separate languages, some
> implementations may choose to offer both at the same SPARQL endpoint.
> In this case, it is important to consider that an Update operation may
> be obscured to masquerade as a query. For instance, a string of
> unicode escapes in a PREFIX clause could be used to hide an Update
> Operation. Therefore, simple syntactic tests are inadequate to
> determine if a string describes a query or an update.
> ---

If the protocol is being used I believe it would be harder than that to exploit, if I'm reading it correctly that the parameter name is different

Doesn't that mean that an update request looks like
as opposed to

- Steve

> Is this OK to add to the document?
> Regards,
> Paul Gearon
> [1] http://lists.w3.org/Archives/Public/public-rdf-dawg-comments/2011Aug/0010.html
Received on Tuesday, 27 September 2011 20:59:00 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:04 UTC