Re: ISSUE: Security Considerations from Kendall Clark on 2005-10-25 (public-rdf-dawg@w3.org from October to December 2005)

From: Kendall Clark <kendall@monkeyfist.com>
Date: Tue, 25 Oct 2005 09:17:37 -0400
To: "Eric Prud'hommeaux" <eric@w3.org>
Cc: public-rdf-dawg@w3.org
Message-ID: <20051025131737.GC5998@monkeyfist.com>

On 04:39, Tue 25 Oct 05, Eric Prud'hommeaux wrote:
> Did the WG ever vote on the Security Considerations [SEC] appendix
> in SPARQL Query? If it was accepted, I can send an [OK?] to the
> commentor [CMNT]. If not, can we vote on this text?:

I thought I'd taken an action to write something like this as the result of
a WG decision, but I can't seem to find any record of that, so I'm probably
misremembering.

Purely as an editorial matter, if it can be treated as such, I support
adding the following text to the spec (with some minor tweaking), in section
3.1.

Cheers,
Kendall

> [[
> SPARQL queries using FROM, FROM NAMED, or GRAPH may cause the
> specified URI to be dereferenced. This may cause additional use of
> network, disk or CPU resources along with associated secondary issues
> such as denial of service. The security issues of Uniform Resource
> Identifier (URI): Generic Syntax [RFC3986] Section 7 should be
> considered. In addition, the contents of file: URIs can in some cases
> be accessed, processed and returned as results, providing unintended
> access to local resources.
> 
> The SPARQL language permits extensions, which will have their own
> security implications.
> 
> Multiple IRIs may have the same appearance. Characters in different
> scripts may look similar (a Cyrillic "??" may appear similar to a Latin
> "o"). A character followed by combining characters may have the same
> visual representation as another character (LATIN SMALL LETTER E
> followed by COMBINING ACUTE ACCENT has the same visual representation
> as LATIN SMALL LETTER E WITH ACUTE). Users of SPARQL must take care to
> construct queries with IRIs that match the IRIs in the data. Further
> information about matching of similar characters can be found in
> Unicode Security Considerations [UNISEC] and Internationalized
> Resource Identifiers (IRIs) [RFC3987] Section 8.
> ]]
> 
> [SEC] http://www.w3.org/2001/sw/DataAccess/rq23/#security
> [CMNT] http://www.w3.org/mid/43203939.225674421@smtp.bjoern.hoehrmann.de

Received on Tuesday, 25 October 2005 13:20:18 UTC