home » security

Jena GRDDL Reader: Version 0.3

Note: also refer to the security page that ships in the doc directory of your version of the Jena GRDDL Reader.

Background

GRDDL specifies that some files retrieved from the Web should be interpreted as XSLT and executed in the client machine. As with any technology involving the local execution of untrusted programs, particularly in a programming language which supports both local and remote input/output operations, there is a potential risk of malicious code.

Legal

The reader is reminded that the Jena GRDDL Reader is distributed under the Jena License terms. Nothing in the documentation, including this file, should be read, as granting rights or expectations not granted under that license. In particular, the reader is reminded that:

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (etc.)

Security Goals of Jena GRDDL Reader

Releases of the Jena GRDDL Reader should include documention covering known security issues.

The aim is to implement the security section of the specification. This aim has not been fully achieved in any version of the software.

Details of Implementation, (Lack of) Conformance

The conformance page, indicates which features of the specification have been implemented, which are viewed as the responsibility of the user of the software, and which are unimplemented.

Potential Weaknesses

Any defects in the code implementing the security features of GRDDL may leave security holes. This may, in the worse case, enable a malicious party to take control of your machine. A more likely case, is that a malicious party will gain illegal access to some data either on your machine or accessible from your machine, but not directly accessible to the malicious party.

Known weaknesses are listed both in the conformance section, and on the security alerts page.