W3C home > Mailing lists > Public > public-rdf-dawg@w3.org > April to June 2009

Re: Security Concerns section added to Query_by_reference

From: Axel Polleres <axel.polleres@deri.org>
Date: Mon, 06 Apr 2009 17:45:07 +0100
Message-ID: <49DA3193.5090106@deri.org>
To: Steve Harris <steve.harris@garlik.com>
CC: SPARQL Working Group <public-rdf-dawg@w3.org>
Let me understand: What is the difference in terms of security issues 
between query-by-reference and queries using REST or SOAP queries?

The same concerns you seem to rise hold there... quite on the contrary, 
it seems that only allowing queries-by-reference from a particular 
namespace would be a security feature rather than a leak.

Thanks for clarifications,

Steve Harris wrote:
> On 26 Mar 2009, at 09:38, Seaborne, Andy wrote:
>>> -----Original Message-----
>>> From: public-rdf-dawg-request@w3.org [mailto:public-rdf-dawg-
>>> request@w3.org] On Behalf Of Steve Harris
>>> Sent: 25 March 2009 21:30
>>> To: SPARQL Working Group
>>> Subject: Re: Security Concerns section added to Query_by_reference
>>> On 25 Mar 2009, at 15:30, Seaborne, Andy wrote:
>>>> A practice-and-experience note.
>>>> Queries that use FROM/FROM NAMED also cause servers to load data
>>>> from a remote reference and have the same serious issues.
>>> There is a difference. The wording of FROM (8.2 Specifying RDF
>>> Datasets) is (deliberately IIRC) quite vague, and it doesn't
>>> explicitly require you to go and dereference a URI. For example we had
>>> a store that uses FROM NAMED to choose the, already loaded, graphs
>>> that will be used to answer the query, and that's legitimate from me
>>> reading of the spec.
>>> - Steve
>> The same could also be true (at least, I was assuming that it would be 
>> true).  A reference to a query (a reference to a representation of a 
>> query) is no different to a reference to a representation of a graph, 
>> which is what 8.2.1 and 8.2.2 talk about.
>> So just because a query is referenced, it does not mean it must be 
>> read. The query may be available locally to the server.  It might even 
>> already have a query plan.
> Fair point, but I still think there's a difference in expectations, from 
> the feature description and docs at the hosting site. It could be worded 
> differently, but there seemed to be a clear expectation of a live de of 
> the URI from the author.
> - Steve

Dr. Axel Polleres
Digital Enterprise Research Institute, National University of Ireland, 
email: axel.polleres@deri.org  url: http://www.polleres.net/
Received on Monday, 6 April 2009 16:45:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:00:54 UTC