Re: [rdflib-dev] Unicode strings in sparql FILTERs

Tue, 07 Aug 2007 11:55:23 -0700 

Hi!

After some digging I found that changing the __repr__ of Literal from:

    def __repr__(self):
        return """rdflib.Literal('%s', lang=%s, datatype=%s)""" %
(str(self), repr(self.language), repr(self.datatype))

to:

    def __repr__(self):
        return """rdflib.Literal(%s, lang=%s, datatype=%s)""" % (
                super(Literal, self).__repr__(),
                repr(self.language),
                repr(self.datatype))

Solves this.

Apart from the unicode problem, the repr also failed when value
contained single quotes. This was a potential sequrity hole for e.g.
sparql endpoints based or rdflib. (we have a non-restricted eval on
line 285 in "rdflib/sparql/bison/SPARQLEvaluate.py"). Just try (or
rather don't):

    FILTER(?name != "' + repr(__import__('sys', []).exit()) + '")

The fix above solves this too. I have checked it in now (revision 1241).

Best regards,
Niklas



On 7/17/07, Gunnar Aastrand Grimnes <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> I have some problems with querying for unicode literals. If I have a query 
> like:
>
> select ?x where { ?x ?y ?z FILTER ( ?z == "ö" ). }
>
> I get exceptions when parsing. This only breaks when in a filter though.
>
> I attach a "test-case"
>
> I see unicode and sparql used to be a problem way back:
> http://rdflib.net/issues/2006/11/14/another_problem_with_unicode_strings_in_sparql_queries/issue
> and
> http://rdflib.net/issues/2006/11/01/unicode_strings_in_sparql_query_is_not_supported/issue
>
> but it was apparently fixed.
>
> - --
> Gunnar Aastrand Grimnes
> gunnar.grimnes [AT] dfki.de
>
> DFKI GmbH
> Knowledge Management
> Trippstadter Strasse 122
> D-67663 Kaiserslautern
> Germany
>
> Office: +49 631 205 75-117
> Mobile: +49 177 277 4397
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGnLOYfD15aMgAOfcRAimbAJ4r1OHR76TQCwLRy0tjnCANkRLTdQCeOo3q
> KnzTsniFjuXQrIG1YkVrxGE=
> =2bAm
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dev mailing list
> Dev@rdflib.net
> http://rdflib.net/mailman/listinfo/dev
>
>
>

_______________________________________________
Dev mailing list
Dev@rdflib.net
http://rdflib.net/mailman/listinfo/dev

Reply via email to