Re: ISSUE: Security Considerations

On 04:39, Tue 25 Oct 05, Eric Prud'hommeaux wrote:
> Did the WG ever vote on the Security Considerations [SEC] appendix
> in SPARQL Query? If it was accepted, I can send an [OK?] to the
> commentor [CMNT]. If not, can we vote on this text?:

I thought I'd taken an action to write something like this as the result of
a WG decision, but I can't seem to find any record of that, so I'm probably

Purely as an editorial matter, if it can be treated as such, I support
adding the following text to the spec (with some minor tweaking), in section


> [[
> SPARQL queries using FROM, FROM NAMED, or GRAPH may cause the
> specified URI to be dereferenced. This may cause additional use of
> network, disk or CPU resources along with associated secondary issues
> such as denial of service. The security issues of Uniform Resource
> Identifier (URI): Generic Syntax [RFC3986] Section 7 should be
> considered. In addition, the contents of file: URIs can in some cases
> be accessed, processed and returned as results, providing unintended
> access to local resources.
> The SPARQL language permits extensions, which will have their own
> security implications.
> Multiple IRIs may have the same appearance. Characters in different
> scripts may look similar (a Cyrillic "??" may appear similar to a Latin
> "o"). A character followed by combining characters may have the same
> visual representation as another character (LATIN SMALL LETTER E
> followed by COMBINING ACUTE ACCENT has the same visual representation
> as LATIN SMALL LETTER E WITH ACUTE). Users of SPARQL must take care to
> construct queries with IRIs that match the IRIs in the data. Further
> information about matching of similar characters can be found in
> Unicode Security Considerations [UNISEC] and Internationalized
> Resource Identifiers (IRIs) [RFC3987] Section 8.
> ]]
> [SEC]
> [CMNT]

Received on Tuesday, 25 October 2005 13:20:18 UTC