[OK?] Re: SPARQL: Security Considerations

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[OK?] Re: SPARQL: Security Considerations

Eric Prud'hommeaux
On Fri, Jul 22, 2005 at 02:09:36AM +0200, Bjoern Hoehrmann wrote:

>
> Dear RDF Data Access Working Group,
>
>   http://www.w3.org/TR/2005/WD-rdf-sparql-query-20050721/ lacks a
> section on security considerations; while it includes a brief note
> about a specific security issue, it is unclear for example which
> security considerations are considered out of scope and handled in
> other documents such as the Protocol draft, or that security of
> extension functions are out of scope, or that the security con-
> siderations of the XPath/XQuery functions and operators apply to
> SPARQL aswell, etc. Please include a dedicated section on security
> considerations in the draft; RFC 3552 and RFC 2828 will help here.
The editor's draft now has:
[[
SPARQL queries using FROM, FROM NAMED, or GRAPH may cause the
specified URI to be dereferenced. This may cause additional use of
network, disk or CPU resources along with associated secondary issues
such as denial of service. The security issues of Uniform Resource
Identifier (URI): Generic Syntax [RFC3986] Section 7 should be
considered. In addition, the contents of file: URIs can in some cases
be accessed, processed and returned as results, providing unintended
access to local resources.

The SPARQL language permits extensions, which will have their own
security implications.

Multiple IRIs may have the same appearance. Characters in different
scripts may look similar (a Cyrillic "ะพ" may appear similar to a Latin
"o"). A character followed by combining characters may have the same
visual representation as another character (LATIN SMALL LETTER E
followed by COMBINING ACUTE ACCENT has the same visual representation
as LATIN SMALL LETTER E WITH ACUTE). Users of SPARQL must take care to
construct queries with IRIs that match the IRIs in the data. Further
information about matching of similar characters can be found in
Unicode Security Considerations [UNISEC] and Internationalized
Resource Identifiers (IRIs) [RFC3987] Section 8.
]]
includes the security issues raised in XQuery's G.6 Security
Considerations [XQSEC], as well as some anti-phishing text. Please see
if it meets your requirements. If it does, please respond with
[CLOSED] in the subject to allow the issue tracking scripts to close
this issue. If not, of course, please send more feedback.


[XQSEC] http://www.w3.org/TR/xquery/#id-security-considerations
--
-eric

office: +81.466.49.1170 W3C, Keio Research Institute at SFC,
                        Shonan Fujisawa Campus, Keio University,
                        5322 Endo, Fujisawa, Kanagawa 252-8520
                        JAPAN
        +1.617.258.5741 NE43-344, MIT, Cambridge, MA 02144 USA
cell:   +81.90.6533.3882

([hidden email])
Feel free to forward this message to any list for any purpose other than
email address distribution.

signature.asc (492 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [OK?] Re: SPARQL: Security Considerations

Bjoern Hoehrmann

* Eric Prud'hommeaux wrote:
>The editor's draft now has:
>[...]

I think this is reasonable. I see that the section is referenced from
the media type security considerations; it seems that UTF-8 should be
a normative reference as UTF-8 support is required of application/
sparql-query implementations and that the document should say that the
security considerations of UTF-8 apply.
--
Bj?rn H?hrmann ? mailto:[hidden email] ? http://bjoern.hoehrmann.de
Weinh. Str. 22 ? Telefon: +49(0)621/4309674 ? http://www.bjoernsworld.de
68309 Mannheim ? PGP Pub. KeyID: 0xA4357E78 ? http://www.websitedev.de/ 

Reply | Threaded
Open this post in threaded view
|

Re: [OK?] Re: SPARQL: Security Considerations

Eric Prud'hommeaux
On Fri, Nov 11, 2005 at 12:32:02PM +0100, Bjoern Hoehrmann wrote:

>
> * Eric Prud'hommeaux wrote:
> >The editor's draft now has:
> >[...]
>
> I think this is reasonable. I see that the section is referenced from
> the media type security considerations; it seems that UTF-8 should be
> a normative reference as UTF-8 support is required of application/
> sparql-query implementations and that the document should say that the
> security considerations of UTF-8 apply.
Just to be clear, are you saying that SPARQL Query's Conformace
section should mention the UTF-8 security considerations, or that
the mime type registration should?

The SPARQL grammar is defined in terms of unicode, but not any
particular encoding. The mime-type registers a subset of SPARQL
query strings, specifically, those written in UTF-8. For example,
I've attached some text in an iso-latin encoding which is a SPARQL
query, but is not application/sparql-query .

I've added some text to the mime registration:
[[
Security considerations:
    See SPARQL Query appendix C, Security Considerations as well
    as RFC 2279 section 7, Security Considerations.
]]

Let me know if this is what you were thinking of. And, as always,
feel free to prefix the Subject: of a reply with [CLOSED] when you
consider the issue closed.
--
-eric

office: +81.466.49.1170 W3C, Keio Research Institute at SFC,
                        Shonan Fujisawa Campus, Keio University,
                        5322 Endo, Fujisawa, Kanagawa 252-8520
                        JAPAN
        +1.617.258.5741 NE43-344, MIT, Cambridge, MA 02144 USA
cell:   +81.90.6533.3882

([hidden email])
Feel free to forward this message to any list for any purpose other than
email address distribution.

SPARQL Query (216 bytes) Download Attachment
signature.asc (492 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [OK?] Re: SPARQL: Security Considerations

Bjoern Hoehrmann

* Eric Prud'hommeaux wrote:
>Just to be clear, are you saying that SPARQL Query's Conformace
>section should mention the UTF-8 security considerations, or that
>the mime type registration should?

I think s/The encoding is always UTF-8/The encoding is always UTF-8
[RFC3629]/ where [RFC3629] is a normative reference, and something
like

>I've added some text to the mime registration:
>[[
>Security considerations:
>    See SPARQL Query appendix C, Security Considerations as well
>    as RFC 2279 section 7, Security Considerations.
>]]

but s/2279/3629/ as 2279 is obsolete.
--
Bj?rn H?hrmann ? mailto:[hidden email] ? http://bjoern.hoehrmann.de
Weinh. Str. 22 ? Telefon: +49(0)621/4309674 ? http://www.bjoernsworld.de
68309 Mannheim ? PGP Pub. KeyID: 0xA4357E78 ? http://www.websitedev.de/ 

Reply | Threaded
Open this post in threaded view
|

Re: [OK?] Re: SPARQL: Security Considerations

Eric Prud'hommeaux
On Mon, Nov 14, 2005 at 09:29:24PM +0100, Bjoern Hoehrmann wrote:
> * Eric Prud'hommeaux wrote:
> >Just to be clear, are you saying that SPARQL Query's Conformace
> >section should mention the UTF-8 security considerations, or that
> >the mime type registration should?
>
> I think s/The encoding is always UTF-8/The encoding is always UTF-8
> [RFC3629]/ where [RFC3629] is a normative reference, and something
> like

You didn't finish your sentence, but I presume this normative
reference is what you had in mind:
  [RFC3629]
    RFC 3629 UTF-8, a transformation format of ISO 10646, F. Yergeau
    January 1998

> >I've added some text to the mime registration:
> >[[
> >Security considerations:
> >    See SPARQL Query appendix C, Security Considerations as well
> >    as RFC 2279 section 7, Security Considerations.
> >]]
>
> but s/2279/3629/ as 2279 is obsolete.

Done. closed?

BTW, Thanks are in order for this and all your comments. You vigilence
is greatly appreciated.
--
-eric

office: +81.466.49.1170 W3C, Keio Research Institute at SFC,
                        Shonan Fujisawa Campus, Keio University,
                        5322 Endo, Fujisawa, Kanagawa 252-8520
                        JAPAN
        +1.617.258.5741 NE43-344, MIT, Cambridge, MA 02144 USA
cell:   +81.90.6533.3882

([hidden email])
Feel free to forward this message to any list for any purpose other than
email address distribution.

signature.asc (492 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [OK?] Re: SPARQL: Security Considerations

Bjoern Hoehrmann

* Eric Prud'hommeaux wrote:
>You didn't finish your sentence, but I presume this normative
>reference is what you had in mind:
>  [RFC3629]
>    RFC 3629 UTF-8, a transformation format of ISO 10646, F. Yergeau
>    January 1998

>Done. closed?

If you s/January 1998/November 2003/...

>BTW, Thanks are in order for this and all your comments. You vigilence
>is greatly appreciated.

I'm glad I can help :-)
--
Bj?rn H?hrmann ? mailto:[hidden email] ? http://bjoern.hoehrmann.de
Weinh. Str. 22 ? Telefon: +49(0)621/4309674 ? http://www.bjoernsworld.de
68309 Mannheim ? PGP Pub. KeyID: 0xA4357E78 ? http://www.websitedev.de/ 

Reply | Threaded
Open this post in threaded view
|

[CLOSED] Re: SPARQL: Security Considerations

Eric Prud'hommeaux
On Mon, Nov 14, 2005 at 10:31:14PM +0100, Bjoern Hoehrmann wrote:

> * Eric Prud'hommeaux wrote:
> >You didn't finish your sentence, but I presume this normative
> >reference is what you had in mind:
> >  [RFC3629]
> >    RFC 3629 UTF-8, a transformation format of ISO 10646, F. Yergeau
> >    January 1998
>
> >Done. closed?
>
> If you s/January 1998/November 2003/...
I think I did this without introducing more errors...

> >BTW, Thanks are in order for this and all your comments. You vigilence
> >is greatly appreciated.
>
> I'm glad I can help :-)

--
-eric

office: +81.466.49.1170 W3C, Keio Research Institute at SFC,
                        Shonan Fujisawa Campus, Keio University,
                        5322 Endo, Fujisawa, Kanagawa 252-8520
                        JAPAN
        +1.617.258.5741 NE43-344, MIT, Cambridge, MA 02144 USA
cell:   +81.90.6533.3882

([hidden email])
Feel free to forward this message to any list for any purpose other than
email address distribution.

signature.asc (492 bytes) Download Attachment