projects
/
shibboleth
/
cpp-sp.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
3be8204
)
SSPCPP-613 - add warning if no semi-colon found
author
Scott Cantor
<cantor.2@osu.edu>
Tue, 3 Feb 2015 19:39:19 +0000
(19:39 +0000)
committer
Scott Cantor
<cantor.2@osu.edu>
Tue, 3 Feb 2015 19:39:19 +0000
(19:39 +0000)
shibsp/impl/XMLServiceProvider.cpp
patch
|
blob
|
history
diff --git
a/shibsp/impl/XMLServiceProvider.cpp
b/shibsp/impl/XMLServiceProvider.cpp
index
59c86eb
..
5a985a9
100644
(file)
--- a/
shibsp/impl/XMLServiceProvider.cpp
+++ b/
shibsp/impl/XMLServiceProvider.cpp
@@
-594,10
+594,15
@@
XMLApplication::XMLApplication(
log.warn("insecure cookieProps setting, set to \"https\" for SSL/TLS-only usage");
}
else if (strcmp(prop.second, "https")) {
log.warn("insecure cookieProps setting, set to \"https\" for SSL/TLS-only usage");
}
else if (strcmp(prop.second, "https")) {
- if (!strstr(prop.second, "
;secure") && !strstr(prop.second, ";
secure"))
+ if (!strstr(prop.second, "secure"))
log.warn("custom cookieProps setting should include \"; secure\" for SSL/TLS-only usage");
log.warn("custom cookieProps setting should include \"; secure\" for SSL/TLS-only usage");
- else if (!strstr(prop.second, "
;HttpOnly") && !strstr(prop.second, ";
HttpOnly"))
+ else if (!strstr(prop.second, "HttpOnly"))
log.warn("custom cookieProps setting should include \"; HttpOnly\", site is vulnerable to client-side cookie theft");
log.warn("custom cookieProps setting should include \"; HttpOnly\", site is vulnerable to client-side cookie theft");
+
+ while (*prop.second && isspace(*prop.second))
+ ++prop.second;
+ if (*prop.second != ';')
+ log.warn("custom cookieProps setting must begin with a semicolon (;) as a delimiter");
}
pair<bool,bool> handlerSSL = sessionProps->getBool("handlerSSL");
}
pair<bool,bool> handlerSSL = sessionProps->getBool("handlerSSL");