[Turtle]Re: \u0000 in literals? [RESOLVED] from David Booth on 2013-06-12 (public-rdf-comments@w3.org from June 2013)

From: David Booth <david@dbooth.org>
Date: Wed, 12 Jun 2013 14:00:10 -0400
To: Eric Prud'hommeaux <eric@w3.org>, public-rdf-comments <public-rdf-comments@w3.org>
Message-ID: <51B8B72A.9050200@dbooth.org>

I find the fact that implementers have not noticed a problem to be 
unconvincing, because NULL characters are extremely rare, and the 
problem would not even be noticed until it shows up as a security flaw.

But I do find your point about representing arbitrary datatypes to be 
good, and i don't want to pursue this further, so i'll consider it RESOLVED.

thanks,
David


On 06/12/2013 01:18 PM, Eric Prud'hommeaux wrote:
> Per your question, the WG has discussed the grammar in general and NULLs
> in particular. If you consider this resolved, please respond to the
> thread with [RESOLVED]. If not, we'll need some new information to
> reopen the grammar.
>
> On May 20, 2013 2:47 PM, "Eric Prud'hommeaux" <eric@w3.org
> <mailto:eric@w3.org>> wrote:
>  >
>  > * David Booth <david@dbooth.org <mailto:david@dbooth.org>>
> [2013-05-20 14:27-0400]
>  > > On 05/20/2013 01:55 PM, Eric Prud'hommeaux wrote:
>  > > >Currently, \u0000 is legal in Turtle (and SPARQL) both in escaped and
>  > > >raw form.
>  > >
>  > > Ugh.  Is there really a need to allow the NULL character in a
>  > > string? This seems like it is unnecessarily asking for trouble,
>  > > given that: (a) Turtle is designed to be semantic-web-friendly, to
>  > > be used on the web; and (b) NULL characters in strings can lead to
>  > > security vulnerabilities, because of the long history of NULL as a
>  > > string terminator.
>  > >
>  > > I imagine this was discussed already.  But were the security
>  > > implications adequately considered?
>  >
>  > I believe so. If we create tests which explicitly include NULL,
>  > there's a lot less chance that an extraneous an NULL will provide
>  > a buffer overrun.
>  >
>  > I honestly find the XML constraint about NULLs so 80s. I'd argue that
>  > not needing to have a special encoding scheme (or four: hexBinary,
>  > url-encoding, base64Binary, uu-encoded) for any datatype that might
>  > someday in its future have a NULL in it is a significant advantage of
>  > SemWeb over the XML stack. I note that none of the Turtle or SPARQL
>  > implementers have reported problems with this.
>  >
>  >
>  > > David
>  >
>  > --
>  > -ericP
>

Received on Wednesday, 12 June 2013 18:00:41 UTC