ACTION: EricP to include rq23/mim.txt in rq23 -- DONE

On Mon, Aug 15, 2005 at 06:12:47PM -0500, Dan Connolly wrote:
> 9. issues#queryMimeType
> ACTION: ericP to update rq23 to include the text of rq23/mime.txt reflect security concearns

I believe the following text covers everything that was in mime.txt:

SPARQL queries using FROM, FROM NAMED, or GRAPH may cause the
specified URI to be dereferenced. This may cause additional use of
network, disk or CPU resources along with associated secondary issues
such as denial of service. The security issues of Uniform Resource
Identifier (URI): Generic Syntax [RFC3986] Section 7 should be
considered. In addition, the contents of file: URIs can in some cases
be accessed, processed and returned as results, providing unintended
access to local resources.

The SPARQL language permits extensions, which will have their own
security implications.

Multiple IRIs may have the same appearance. Characters in different
scripts may look similar (a Cyrillic "o" may appear similar to a Latin
"o"). A character followed by combining characters may have the same
visual representation as another character (LATIN SMALL LETTER E
followed by COMBINING ACUTE ACCENT has the same visual representation
as LATIN SMALL LETTER E WITH ACUTE). Users of SPARQL must take care to
construct queries with IRIs that match the IRIs in the data. Further
information about matching of similar characters can be found in
Unicode Security Considerations [UNISEC] and Internationalized
Resource Identifiers (IRIs) [RFC3987] Section 8.

office: +81.466.49.1170 W3C, Keio Research Institute at SFC,
                        Shonan Fujisawa Campus, Keio University,
                        5322 Endo, Fujisawa, Kanagawa 252-8520
        +1.617.258.5741 NE43-344, MIT, Cambridge, MA 02144 USA
cell:   +81.90.6533.3882

Feel free to forward this message to any list for any purpose other than
email address distribution.

Received on Tuesday, 16 August 2005 08:22:23 UTC