From 8fee4332ee3d9bef2eac996b36a2baf09a811318 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 3 Feb 2015 19:39:19 +0000
Subject: [PATCH] SSPCPP-613 - add warning if no semi-colon found

---
 shibsp/impl/XMLServiceProvider.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp
index 59c86eb..5a985a9 100644
--- a/shibsp/impl/XMLServiceProvider.cpp
+++ b/shibsp/impl/XMLServiceProvider.cpp
@@ -594,10 +594,15 @@ XMLApplication::XMLApplication(
             log.warn("insecure cookieProps setting, set to \"https\" for SSL/TLS-only usage");
         }
         else if (strcmp(prop.second, "https")) {
-            if (!strstr(prop.second, ";secure") && !strstr(prop.second, "; secure"))
+            if (!strstr(prop.second, "secure"))
                 log.warn("custom cookieProps setting should include \"; secure\" for SSL/TLS-only usage");
-            else if (!strstr(prop.second, ";HttpOnly") && !strstr(prop.second, "; HttpOnly"))
+            else if (!strstr(prop.second, "HttpOnly"))
                 log.warn("custom cookieProps setting should include \"; HttpOnly\", site is vulnerable to client-side cookie theft");
+
+            while (*prop.second && isspace(*prop.second))
+                ++prop.second;
+            if (*prop.second != ';')
+                log.warn("custom cookieProps setting must begin with a semicolon (;) as a delimiter");
         }
 
         pair<bool,bool> handlerSSL = sessionProps->getBool("handlerSSL");
-- 
2.1.4