[OK?] Re: SPARQL: Security Considerations from Eric Prud'hommeaux on 2005-11-08 (public-rdf-dawg-comments@w3.org from November 2005)

From: Eric Prud'hommeaux <eric@w3.org>
Date: Tue, 8 Nov 2005 08:46:00 -0500
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: public-rdf-dawg-comments@w3.org
Message-ID: <20051108134600.GG17752@w3.org>

On Fri, Jul 22, 2005 at 02:09:36AM +0200, Bjoern Hoehrmann wrote:
> 
> Dear RDF Data Access Working Group,
> 
>   http://www.w3.org/TR/2005/WD-rdf-sparql-query-20050721/ lacks a
> section on security considerations; while it includes a brief note
> about a specific security issue, it is unclear for example which
> security considerations are considered out of scope and handled in
> other documents such as the Protocol draft, or that security of
> extension functions are out of scope, or that the security con-
> siderations of the XPath/XQuery functions and operators apply to
> SPARQL aswell, etc. Please include a dedicated section on security
> considerations in the draft; RFC 3552 and RFC 2828 will help here.

The editor's draft now has:
[[
SPARQL queries using FROM, FROM NAMED, or GRAPH may cause the
specified URI to be dereferenced. This may cause additional use of
network, disk or CPU resources along with associated secondary issues
such as denial of service. The security issues of Uniform Resource
Identifier (URI): Generic Syntax [RFC3986] Section 7 should be
considered. In addition, the contents of file: URIs can in some cases
be accessed, processed and returned as results, providing unintended
access to local resources.

The SPARQL language permits extensions, which will have their own
security implications.

Multiple IRIs may have the same appearance. Characters in different
scripts may look similar (a Cyrillic "о" may appear similar to a Latin
"o"). A character followed by combining characters may have the same
visual representation as another character (LATIN SMALL LETTER E
followed by COMBINING ACUTE ACCENT has the same visual representation
as LATIN SMALL LETTER E WITH ACUTE). Users of SPARQL must take care to
construct queries with IRIs that match the IRIs in the data. Further
information about matching of similar characters can be found in
Unicode Security Considerations [UNISEC] and Internationalized
Resource Identifiers (IRIs) [RFC3987] Section 8.
]]
includes the security issues raised in XQuery's G.6 Security
Considerations [XQSEC], as well as some anti-phishing text. Please see
if it meets your requirements. If it does, please respond with
[CLOSED] in the subject to allow the issue tracking scripts to close
this issue. If not, of course, please send more feedback.

[XQSEC] http://www.w3.org/TR/xquery/#id-security-considerations
-- 
-eric

office: +81.466.49.1170 W3C, Keio Research Institute at SFC,
                        Shonan Fujisawa Campus, Keio University,
                        5322 Endo, Fujisawa, Kanagawa 252-8520
                        JAPAN
        +1.617.258.5741 NE43-344, MIT, Cambridge, MA 02144 USA
cell:   +81.90.6533.3882

(eric@w3.org)
Feel free to forward this message to any list for any purpose other than
email address distribution.

Received on Tuesday, 8 November 2005 13:46:07 UTC