From: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 3 Feb 2015 19:39:19 +0000 (+0000)
Subject: SSPCPP-613 - add warning if no semi-colon found
X-Git-Tag: 2.5.4~12
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-sp.git;a=commitdiff_plain;h=8fee4332ee3d9bef2eac996b36a2baf09a811318

SSPCPP-613 - add warning if no semi-colon found
---

diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp
index 59c86eb..5a985a9 100644
--- a/shibsp/impl/XMLServiceProvider.cpp
+++ b/shibsp/impl/XMLServiceProvider.cpp
@@ -594,10 +594,15 @@ XMLApplication::XMLApplication(
             log.warn("insecure cookieProps setting, set to \"https\" for SSL/TLS-only usage");
         }
         else if (strcmp(prop.second, "https")) {
-            if (!strstr(prop.second, ";secure") && !strstr(prop.second, "; secure"))
+            if (!strstr(prop.second, "secure"))
                 log.warn("custom cookieProps setting should include \"; secure\" for SSL/TLS-only usage");
-            else if (!strstr(prop.second, ";HttpOnly") && !strstr(prop.second, "; HttpOnly"))
+            else if (!strstr(prop.second, "HttpOnly"))
                 log.warn("custom cookieProps setting should include \"; HttpOnly\", site is vulnerable to client-side cookie theft");
+
+            while (*prop.second && isspace(*prop.second))
+                ++prop.second;
+            if (*prop.second != ';')
+                log.warn("custom cookieProps setting must begin with a semicolon (;) as a delimiter");
         }
 
         pair<bool,bool> handlerSSL = sessionProps->getBool("handlerSSL");