Re: Followup to RC-4 from Steve Harris on 2011-09-27 (public-rdf-dawg@w3.org from July to September 2011)

From: Steve Harris <steve.harris@garlik.com>
Date: Tue, 27 Sep 2011 21:58:19 +0100
To: Paul Gearon <pgearon@revelytix.com>
Cc: SPARQL Working Group <public-rdf-dawg@w3.org>
Message-Id: <3DD97D22-DB04-42B8-B9C4-41163B89814E@garlik.com>

On 27 Sep 2011, at 19:25, Paul Gearon wrote:

> I don't know the process for modifying a document after Last Call, so
> I'm asking the list here.
> 
> In Richard's email of RC-4 [1], he expresses concern that a harmful
> update operation may be embedded in a query:
> 
>> The risk is that a) users can be tricked into running harmful queries, and b) software that uses
>> heuristics to detect queries with potential security impact will be less likely to work.
>> 
>> This may have been ok in SPARQL 1.0, but with the addition of SPARQL UPDATE this is an unacceptable risk.
>> 
>> I am surprised that the security issues arising from obfuscation through string escaping are not
>> stated in the Security Considerations sections of SPARQL Query and SPARQL Update.
> 
> Andy has adequately addressed this concern by pointing out that Query
> and Update are two separate languages. However, since it is possible
> for an implementation to offer both services at one endpoint, I think
> it would be worthwhile explaining the risk in the "Security
> Considerations (Informative)" section of SPARQL Update.
> 
> My proposed text is:
> ---
> While SPARQL Update and SPARQL Query are separate languages, some
> implementations may choose to offer both at the same SPARQL endpoint.
> In this case, it is important to consider that an Update operation may
> be obscured to masquerade as a query. For instance, a string of
> unicode escapes in a PREFIX clause could be used to hide an Update
> Operation. Therefore, simple syntactic tests are inadequate to
> determine if a string describes a query or an update.
> ---

If the protocol is being used I believe it would be harder than that to exploit, if I'm reading it correctly that the parameter name is different
http://www.w3.org/TR/sparql11-protocol/#update-operation

Doesn't that mean that an update request looks like
   http://host.example/?update=…
as opposed to
   http://host.example/?query=…

- Steve

> 
> Is this OK to add to the document?
> 
> Regards,
> Paul Gearon
> 
> [1] http://lists.w3.org/Archives/Public/public-rdf-dawg-comments/2011Aug/0010.html
>

Received on Tuesday, 27 September 2011 20:59:00 UTC