ISSUE: Security Considerations

Did the WG ever vote on the Security Considerations [SEC] appendix
in SPARQL Query? If it was accepted, I can send an [OK?] to the
commentor [CMNT]. If not, can we vote on this text?:
[[
SPARQL queries using FROM, FROM NAMED, or GRAPH may cause the
specified URI to be dereferenced. This may cause additional use of
network, disk or CPU resources along with associated secondary issues
such as denial of service. The security issues of Uniform Resource
Identifier (URI): Generic Syntax [RFC3986] Section 7 should be
considered. In addition, the contents of file: URIs can in some cases
be accessed, processed and returned as results, providing unintended
access to local resources.

The SPARQL language permits extensions, which will have their own
security implications.

Multiple IRIs may have the same appearance. Characters in different
scripts may look similar (a Cyrillic "ะพ" may appear similar to a Latin
"o"). A character followed by combining characters may have the same
visual representation as another character (LATIN SMALL LETTER E
followed by COMBINING ACUTE ACCENT has the same visual representation
as LATIN SMALL LETTER E WITH ACUTE). Users of SPARQL must take care to
construct queries with IRIs that match the IRIs in the data. Further
information about matching of similar characters can be found in
Unicode Security Considerations [UNISEC] and Internationalized
Resource Identifiers (IRIs) [RFC3987] Section 8.
]]

[SEC] http://www.w3.org/2001/sw/DataAccess/rq23/#security
[CMNT] http://www.w3.org/mid/43203939.225674421@smtp.bjoern.hoehrmann.de
-- 
-eric

office: +81.466.49.1170 W3C, Keio Research Institute at SFC,
                        Shonan Fujisawa Campus, Keio University,
                        5322 Endo, Fujisawa, Kanagawa 252-8520
                        JAPAN
        +1.617.258.5741 NE43-344, MIT, Cambridge, MA 02144 USA
cell:   +81.90.6533.3882

(eric@w3.org)
Feel free to forward this message to any list for any purpose other than
email address distribution.

Received on Tuesday, 25 October 2005 08:39:14 UTC