SSPCPP-613 - add warning if no semi-colon found

author Scott Cantor <cantor.2@osu.edu>

Tue, 3 Feb 2015 19:39:19 +0000 (19:39 +0000)

committer Scott Cantor <cantor.2@osu.edu>

Tue, 3 Feb 2015 19:39:19 +0000 (19:39 +0000)
author Scott Cantor <cantor.2@osu.edu>
Tue, 3 Feb 2015 19:39:19 +0000 (19:39 +0000)
committer Scott Cantor <cantor.2@osu.edu>
Tue, 3 Feb 2015 19:39:19 +0000 (19:39 +0000)
diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp

index 59c86eb..5a985a9 100644 (file)
--- a/shibsp/impl/XMLServiceProvider.cpp
+++ b/shibsp/impl/XMLServiceProvider.cpp
@@ -594,10 +594,15 @@ XMLApplication::XMLApplication(
              log.warn("insecure cookieProps setting, set to \"https\" for SSL/TLS-only usage");
          }
          else if (strcmp(prop.second, "https")) {
-            if (!strstr(prop.second, ";secure") && !strstr(prop.second, "; secure"))
+            if (!strstr(prop.second, "secure"))
                  log.warn("custom cookieProps setting should include \"; secure\" for SSL/TLS-only usage");
-            else if (!strstr(prop.second, ";HttpOnly") && !strstr(prop.second, "; HttpOnly"))
+            else if (!strstr(prop.second, "HttpOnly"))
                  log.warn("custom cookieProps setting should include \"; HttpOnly\", site is vulnerable to client-side cookie theft");
+
+            while (*prop.second && isspace(*prop.second))
+                ++prop.second;
+            if (*prop.second != ';')
+                log.warn("custom cookieProps setting must begin with a semicolon (;) as a delimiter");
          }
  
          pair<bool,bool> handlerSSL = sessionProps->getBool("handlerSSL");
author	Scott Cantor <cantor.2@osu.edu>
	Tue, 3 Feb 2015 19:39:19 +0000 (19:39 +0000)
committer	Scott Cantor <cantor.2@osu.edu>
	Tue, 3 Feb 2015 19:39:19 +0000 (19:39 +0000)