Followup to RC-4

I don't know the process for modifying a document after Last Call, so
I'm asking the list here.

In Richard's email of RC-4 [1], he expresses concern that a harmful
update operation may be embedded in a query:

> The risk is that a) users can be tricked into running harmful queries, and b) software that uses
> heuristics to detect queries with potential security impact will be less likely to work.
>
> This may have been ok in SPARQL 1.0, but with the addition of SPARQL UPDATE this is an unacceptable risk.
>
> I am surprised that the security issues arising from obfuscation through string escaping are not
> stated in the Security Considerations sections of SPARQL Query and SPARQL Update.

Andy has adequately addressed this concern by pointing out that Query
and Update are two separate languages. However, since it is possible
for an implementation to offer both services at one endpoint, I think
it would be worthwhile explaining the risk in the "Security
Considerations (Informative)" section of SPARQL Update.

My proposed text is:
---
While SPARQL Update and SPARQL Query are separate languages, some
implementations may choose to offer both at the same SPARQL endpoint.
In this case, it is important to consider that an Update operation may
be obscured to masquerade as a query. For instance, a string of
unicode escapes in a PREFIX clause could be used to hide an Update
Operation. Therefore, simple syntactic tests are inadequate to
determine if a string describes a query or an update.
---

Is this OK to add to the document?

Regards,
Paul Gearon

[1] http://lists.w3.org/Archives/Public/public-rdf-dawg-comments/2011Aug/0010.html

Received on Tuesday, 27 September 2011 18:26:25 UTC