- From: Eric Prud'hommeaux <eric@w3.org>
- Date: Tue, 25 Oct 2005 04:39:08 -0400
- To: public-rdf-dawg@w3.org
- Message-ID: <20051025083908.GL11032@w3.org>
Did the WG ever vote on the Security Considerations [SEC] appendix in SPARQL Query? If it was accepted, I can send an [OK?] to the commentor [CMNT]. If not, can we vote on this text?: [[ SPARQL queries using FROM, FROM NAMED, or GRAPH may cause the specified URI to be dereferenced. This may cause additional use of network, disk or CPU resources along with associated secondary issues such as denial of service. The security issues of Uniform Resource Identifier (URI): Generic Syntax [RFC3986] Section 7 should be considered. In addition, the contents of file: URIs can in some cases be accessed, processed and returned as results, providing unintended access to local resources. The SPARQL language permits extensions, which will have their own security implications. Multiple IRIs may have the same appearance. Characters in different scripts may look similar (a Cyrillic "ะพ" may appear similar to a Latin "o"). A character followed by combining characters may have the same visual representation as another character (LATIN SMALL LETTER E followed by COMBINING ACUTE ACCENT has the same visual representation as LATIN SMALL LETTER E WITH ACUTE). Users of SPARQL must take care to construct queries with IRIs that match the IRIs in the data. Further information about matching of similar characters can be found in Unicode Security Considerations [UNISEC] and Internationalized Resource Identifiers (IRIs) [RFC3987] Section 8. ]] [SEC] http://www.w3.org/2001/sw/DataAccess/rq23/#security [CMNT] http://www.w3.org/mid/43203939.225674421@smtp.bjoern.hoehrmann.de -- -eric office: +81.466.49.1170 W3C, Keio Research Institute at SFC, Shonan Fujisawa Campus, Keio University, 5322 Endo, Fujisawa, Kanagawa 252-8520 JAPAN +1.617.258.5741 NE43-344, MIT, Cambridge, MA 02144 USA cell: +81.90.6533.3882 (eric@w3.org) Feel free to forward this message to any list for any purpose other than email address distribution.
Received on Tuesday, 25 October 2005 08:39:14 UTC