- From: Paul Gearon <pgearon@revelytix.com>
- Date: Tue, 27 Sep 2011 14:25:56 -0400
- To: SPARQL Working Group <public-rdf-dawg@w3.org>
I don't know the process for modifying a document after Last Call, so I'm asking the list here. In Richard's email of RC-4 [1], he expresses concern that a harmful update operation may be embedded in a query: > The risk is that a) users can be tricked into running harmful queries, and b) software that uses > heuristics to detect queries with potential security impact will be less likely to work. > > This may have been ok in SPARQL 1.0, but with the addition of SPARQL UPDATE this is an unacceptable risk. > > I am surprised that the security issues arising from obfuscation through string escaping are not > stated in the Security Considerations sections of SPARQL Query and SPARQL Update. Andy has adequately addressed this concern by pointing out that Query and Update are two separate languages. However, since it is possible for an implementation to offer both services at one endpoint, I think it would be worthwhile explaining the risk in the "Security Considerations (Informative)" section of SPARQL Update. My proposed text is: --- While SPARQL Update and SPARQL Query are separate languages, some implementations may choose to offer both at the same SPARQL endpoint. In this case, it is important to consider that an Update operation may be obscured to masquerade as a query. For instance, a string of unicode escapes in a PREFIX clause could be used to hide an Update Operation. Therefore, simple syntactic tests are inadequate to determine if a string describes a query or an update. --- Is this OK to add to the document? Regards, Paul Gearon [1] http://lists.w3.org/Archives/Public/public-rdf-dawg-comments/2011Aug/0010.html
Received on Tuesday, 27 September 2011 18:26:25 UTC