RE: Security Concerns section added to Query_by_reference

A practice-and-experience note.

Queries that use FROM/FROM NAMED also cause servers to load data from a remote reference and have the same serious issues.  

In the Joseki example endpoint I run, there is an internal limit on the size of the graph it will load (size by number of triples, the number is quite low - the parsers stream and it counts the stream). It only applies to data read in by URL, not if the query is on a fixed dataset that the server already has.  It's not ideal but some mechanism was needed, and, yes, it has been triggered and not just occasionally.  There have requests to read in simply huge files by HTTP GET.

It also refuses to read "file:" URLs.

Any SPARQL endpoint can reject a query for whatever reason it chooses. Joseki provides a configuration option (per endpoint) to reject queries with FROMN/FROM NAMED or the protocol equivalent, and it is recommended to use that.

So a processor can legitimately refuse to support any use Feature:Query_by_reference.  If that might be common, the time spent spec'ing isn't well spent IMHO.

 Andy

> -----Original Message-----
> From: public-rdf-dawg-request@w3.org [mailto:public-rdf-dawg-
> request@w3.org] On Behalf Of Steve Harris
> Sent: 25 March 2009 12:40
> To: SPARQL Working Group
> Subject: Security Concerns section added to Query_by_reference
> 
> http://www.w3.org/2009/sparql/wiki/Feature:Query_by_reference

> 
> In short, providing public systems that can trigger bigger external
> requests than they receive is a serious security issue.
> 
> - Steve
> 
> --
> Steve Harris
> Garlik Limited, 2 Sheen Road, Richmond, TW9 1AE, UK
> +44(0)20 8973 2465  http://www.garlik.com/

> Registered in England and Wales 535 7233 VAT # 849 0517 11
> Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10
> 9AD
> 

Received on Wednesday, 25 March 2009 15:32:00 UTC