Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 25 Oct 2012 15:15:52 +0000 (UTC)
From:      Jun Kuriyama <kuriyama@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r306385 - in head/www/mod_auth_tkt: . files
Message-ID:  <201210251515.q9PFFq8x086051@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kuriyama
Date: Thu Oct 25 15:15:52 2012
New Revision: 306385
URL: http://svn.freebsd.org/changeset/ports/306385

Log:
  - Add option to use TKTAuthQuerySeparator directive.
  
  Obtained from:	https://github.com/gavincarr/mod_auth_tkt
  Feature safe: yes

Added:
  head/www/mod_auth_tkt/files/
  head/www/mod_auth_tkt/files/extra-patch-query-separator   (contents, props changed)
Modified:
  head/www/mod_auth_tkt/Makefile

Modified: head/www/mod_auth_tkt/Makefile
==============================================================================
--- head/www/mod_auth_tkt/Makefile	Thu Oct 25 14:31:01 2012	(r306384)
+++ head/www/mod_auth_tkt/Makefile	Thu Oct 25 15:15:52 2012	(r306385)
@@ -3,6 +3,7 @@
 
 PORTNAME=	mod_auth_tkt
 PORTVERSION=	2.1.0
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_LOCAL} \
 		http://www.openfusion.com.au/labs/dist/mod_auth_tkt/
@@ -13,12 +14,24 @@ COMMENT=	Lightweight single-sign-on auth
 
 USE_APACHE=	22
 WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}/src
+PATCH_WRKSRC=	${WRKDIR}/${PORTNAME}-${PORTVERSION}
+PATCH_STRIP=	-p1
 AP_FAST_BUILD=	yes
 SRC_FILE=	${PORTNAME}.c sha2.c
 AP_EXTRAS=	-DAPACHE22
 
 MAN3=	mod_auth_tkt.3
 
+OPTIONS_DEFINE=	QUERY_SEP
+QUERY_SEP_DESC=	Experimental TKTAuthQuerySeparator directive
+OPTIONS_DEFAULT=QUERY_SEP
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MQUERY_SEP}
+EXTRA_PATCHES+=	${FILESDIR}/extra-patch-query-separator
+.endif
+
 post-patch:
 	${REINPLACE_CMD} -e 's|.usr/share/man|${PREFIX}/man|' ${WRKSRC}/../Makedefs
 

Added: head/www/mod_auth_tkt/files/extra-patch-query-separator
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/mod_auth_tkt/files/extra-patch-query-separator	Thu Oct 25 15:15:52 2012	(r306385)
@@ -0,0 +1,1454 @@
+diff --git a/cgi/logout.cgi b/cgi/logout.cgi
+index b2a830c..41fa7e1 100755
+--- a/cgi/logout.cgi
++++ b/cgi/logout.cgi
+@@ -33,16 +33,19 @@ $back ||= $q->cookie($at->back_cookie_name) if $at->back_cookie_name;
+ $back ||= $q->param($at->back_arg_name) if $at->back_arg_name;
+ $back = $AuthTktConfig::DEFAULT_BACK_LOCATION if $AuthTktConfig::DEFAULT_BACK_LOCATION;
+ $back ||= $ENV{HTTP_REFERER} if $ENV{HTTP_REFERER} && $AuthTktConfig::BACK_REFERER;
+-if ($back && $back =~ m!^/!) {
+-  my $hostname = $server_name;
+-  my $port = $server_port;
+-  $hostname .= ':' . $port if $port && $port != 80 && $port != 443;
+-  $back = sprintf "http%s://%s%s", ($port == 443 ? 's' : ''), $hostname, $back;
+-} elsif ($back && $back !~ m/^http/i) {
+-  $back = 'http://' . $back;
++my $back_html = '';
++if ($back) {
++  if ($back =~ m!^/!) {
++    my $hostname = $server_name;
++    my $port = $server_port;
++    $hostname .= ':' . $port if $port && $port != 80 && $port != 443;
++    $back = sprintf "http%s://%s%s", ($port == 443 ? 's' : ''), $hostname, $back;
++  } elsif ($back !~ m/^http/i) {
++    $back = 'http://' . $back;
++  }
++  $back = uri_unescape($back) if $back =~ m/^https?%3A%2F%2F/;
++  $back_html = escapeHTML($back);
+ }
+-$back = uri_unescape($back) if $back =~ m/^https?%3A%2F%2F/;
+-my $back_html = escapeHTML($back) if $back;
+ 
+ # Logout by resetting the auth cookie
+ my @cookies = cookie(-name => $at->cookie_name, -value => '', -expires => '-1h', 
+diff --git a/conf/auth_tkt_cgi.conf b/conf/auth_tkt_cgi.conf
+index e2546bc..e969c44 100644
+--- a/conf/auth_tkt_cgi.conf
++++ b/conf/auth_tkt_cgi.conf
+@@ -13,6 +13,9 @@
+ # Digest type to use - default is MD5, alternatives are SHA256 or SHA512
+ #TKTAuthDigestType MD5
+ 
++# Query separator for generated URLs. Defaults to semi-colon (';')
++#TKTAuthQuerySeparator &
++
+ # Used by sample CGI scripts to locate this config file
+ SetEnv MOD_AUTH_TKT_CONF "/etc/httpd/conf.d/auth_tkt_cgi.conf"
+ 
+diff --git a/doc/mod_auth_tkt.pod b/doc/mod_auth_tkt.pod
+index dd7d85c..edf0590 100644
+--- a/doc/mod_auth_tkt.pod
++++ b/doc/mod_auth_tkt.pod
+@@ -227,7 +227,9 @@ the ticket hashing, so you should always set a TKTAuthTimeout in
+ addition to using an expiry. Cookie expiries are refreshed with
+ tickets if TKTAuthTimeoutRefresh is set.
+ 
+-Default: none. Examples:
++Default: none (not used).
++
++e.g.
+ 
+   TKTAuthCookieExpires 86400
+   TKTAuthCookieExpires 1w
+@@ -245,6 +247,11 @@ http://www.example.com/index.html and TKTAuthBackArgName is set to
+ 
+ to the TKTAuthLoginURL it redirects to, allowing your login script
+ to redirect back to the requested page upon successful login.
++
++To omit altogether, set to the string B<None> i.e.
++
++  TKTAuthBackArgName None
++
+ Default: 'back'.
+ 
+ =item TKTAuthBackCookieName <name>
+@@ -252,7 +259,9 @@ Default: 'back'.
+ The cookie name to use for the back cookie. If this is set,
+ mod_auth_tkt will set a back cookie containing a URI-escaped version
+ of current requested page when redirecting (see TKTAuthBackArgName
+-above). Default: none.
++above), instead of using a GET parameter.
++
++Default: none (not used).
+ 
+ =item TKTAuthToken <token>
+ 
+@@ -267,7 +276,9 @@ Note that this directive can be repeated, and the semantics are that
+ B<any> of the required tokens is sufficient for access i.e. the tokens
+ are ORed.
+ 
+-Default: none. e.g.
++Default: none (not used).
++
++e.g.
+ 
+   TKTAuthToken finance
+   TKTAuthToken admin
+@@ -281,8 +292,12 @@ this as well, setting the client IP address to 0.0.0.0). This is
+ often required out on the open internet, especially if you are 
+ using an HTTPS login page (as you should) and are dealing with 
+ more than a handful of users (the typical problem being 
+-transparent HTTP proxies at ISPs). Default: 'off' i.e. ticket
+-is only valid from the originating IP address. e.g.
++transparent HTTP proxies at ISPs).
++
++Default: 'off' i.e. ticket is only valid from the originating
++IP address.
++
++e.g.
+ 
+   TKTAuthIgnoreIP on
+ 
+diff --git a/src/mod_auth_tkt.c b/src/mod_auth_tkt.c
+index c2609e9..74bb669 100644
+--- a/src/mod_auth_tkt.c
++++ b/src/mod_auth_tkt.c
+@@ -38,6 +38,7 @@
+ #define REMOTE_USER_TOKENS_ENV "REMOTE_USER_TOKENS"
+ #define DEFAULT_TIMEOUT_SEC 7200
+ #define DEFAULT_GUEST_USER "guest"
++#define QUERY_SEPARATOR ';'
+ 
+ #define FORCE_REFRESH 1
+ #define CHECK_REFRESH 0
+@@ -68,6 +69,7 @@ typedef struct  {
+   char *guest_user;
+   int guest_fallback;
+   int debug;
++  const char *query_separator;
+ } auth_tkt_dir_conf;
+ 
+ /* Per-server configuration */
+@@ -99,24 +101,24 @@ void
+ auth_tkt_version(server_rec *s, pool *p)
+ {
+   ap_add_version_component("mod_auth_tkt/" TKT_AUTH_VERSION);
+-  ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s, 
++  ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
+       "mod_auth_tkt: version %s", TKT_AUTH_VERSION);
+ }
+ 
+ #else
+ static int
+-auth_tkt_version(apr_pool_t *p, 
++auth_tkt_version(apr_pool_t *p,
+   apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
+ {
+   ap_add_version_component(p, "mod_auth_tkt/" TKT_AUTH_VERSION);
+-  ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s, 
++  ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
+       "mod_auth_tkt: version %s", TKT_AUTH_VERSION);
+   return DECLINED;
+ }
+ #endif
+ 
+ /* Create per-dir config structures */
+-static void * 
++static void *
+ create_auth_tkt_config(apr_pool_t *p, char* path)
+ {
+   auth_tkt_dir_conf *conf = apr_palloc(p, sizeof(*conf));
+@@ -142,11 +144,12 @@ create_auth_tkt_config(apr_pool_t *p, char* path)
+   conf->guest_user = NULL;
+   conf->guest_fallback = -1;
+   conf->debug = -1;
+-  return conf;  
++  conf->query_separator = (char *)QUERY_SEPARATOR;
++  return conf;
+ }
+ 
+ /* Merge per-dir config structures */
+-static void * 
++static void *
+ merge_auth_tkt_config(apr_pool_t *p, void* parent_dirv, void* subdirv)
+ {
+   auth_tkt_dir_conf *parent = (auth_tkt_dir_conf *) parent_dirv;
+@@ -174,6 +177,7 @@ merge_auth_tkt_config(apr_pool_t *p, void* parent_dirv, void* subdirv)
+   conf->guest_user = (subdir->guest_user) ? subdir->guest_user : parent->guest_user;
+   conf->guest_fallback = (subdir->guest_fallback >= 0) ?  subdir->guest_fallback : parent->guest_fallback;
+   conf->debug = (subdir->debug >= 0) ? subdir->debug : parent->debug;
++  conf->query_separator = (subdir->query_separator) ? subdir->query_separator : parent->query_separator;
+ 
+   return conf;
+ }
+@@ -188,7 +192,7 @@ create_auth_tkt_serv_config(apr_pool_t *p, server_rec* s)
+   sconf->digest_type = NULL;
+   sconf->digest_sz = 0;
+   return sconf;
+-} 
++}
+ 
+ /* Merge per-server config structures */
+ static void *
+@@ -203,7 +207,7 @@ merge_auth_tkt_serv_config(apr_pool_t *p, void* parent_dirv, void* subdirv)
+   sconf->digest_type = (subdir->digest_type) ? subdir->digest_type : parent->digest_type;
+   sconf->digest_sz   = (subdir->digest_sz) ? subdir->digest_sz : parent->digest_sz;
+   return sconf;
+-} 
++}
+ 
+ /* ----------------------------------------------------------------------- */
+ /* Command-specific functions */
+@@ -243,8 +247,8 @@ convert_to_seconds (cmd_parms *cmd, const char *param, int *seconds)
+       multiplier = 30 * 24 * 60 * 60;
+     else if (unit == 'y')
+       multiplier = 365 * 24 * 60 * 60;
+-    else 
+-      return apr_psprintf(cmd->pool, 
++    else
++      return apr_psprintf(cmd->pool,
+         "Bad time string - unrecognised unit '%c'", unit);
+   }
+ 
+@@ -256,7 +260,7 @@ convert_to_seconds (cmd_parms *cmd, const char *param, int *seconds)
+ static const char *
+ set_auth_tkt_token (cmd_parms *cmd, void *cfg, const char *param)
+ {
+-  char	**new;
++  char **new;
+   auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *) cfg;
+ 
+   new = (char **) apr_array_push(conf->auth_token);
+@@ -270,12 +274,12 @@ set_auth_tkt_timeout (cmd_parms *cmd, void *cfg, const char *param)
+   auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
+   int seconds = conf->timeout_sec;
+   const char *error;
+-        
++
+   /* Easy case - looks like all digits */
+   if (apr_isdigit(param[0]) && apr_isdigit(param[strlen(param) - 1])) {
+     seconds = atoi(param);
+   }
+-         
++
+   /* Harder case - convert units to seconds */
+   else {
+     error = convert_to_seconds(cmd, param, &seconds);
+@@ -286,7 +290,7 @@ set_auth_tkt_timeout (cmd_parms *cmd, void *cfg, const char *param)
+   if (seconds == INT_MAX) return ("Integer overflow or invalid number");
+ 
+   conf->timeout_sec = seconds;
+-  
++
+   return NULL;
+ }
+ 
+@@ -294,14 +298,14 @@ static const char *
+ set_auth_tkt_timeout_min (cmd_parms *cmd, void *cfg, const char *param)
+ {
+   auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
+-  
++
+   int minutes = atoi(param);
+-  
++
+   if (minutes < 0)        return ("Timeout must be positive");
+   if (minutes == INT_MAX) return ("Integer overflow or invalid number");
+-  
++
+   conf->timeout_sec = minutes * 60;
+-  
++
+   return NULL;
+ }
+ 
+@@ -309,21 +313,21 @@ static const char *
+ set_auth_tkt_timeout_refresh (cmd_parms *cmd, void *cfg, const char *param)
+ {
+   auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
+-  
++
+   double refresh = atof(param);
+ 
+-  if (refresh < 0 || refresh > 1) 
++  if (refresh < 0 || refresh > 1)
+     return "Refresh flag must be between 0 and 1";
+-  
++
+   conf->timeout_refresh = refresh;
+-  
++
+   return NULL;
+ }
+ 
+ static const char *
+ setup_secret (cmd_parms *cmd, void *cfg, const char *param)
+ {
+-  auth_tkt_serv_conf *sconf = 
++  auth_tkt_serv_conf *sconf =
+     ap_get_module_config(cmd->server->module_config, &auth_tkt_module);
+   sconf->secret = param;
+   return NULL;
+@@ -332,12 +336,22 @@ setup_secret (cmd_parms *cmd, void *cfg, const char *param)
+ static const char *
+ setup_old_secret (cmd_parms *cmd, void *cfg, const char *param)
+ {
+-  auth_tkt_serv_conf *sconf = ap_get_module_config(cmd->server->module_config, 
++  auth_tkt_serv_conf *sconf = ap_get_module_config(cmd->server->module_config,
+     &auth_tkt_module);
+   sconf->old_secret = param;
+   return NULL;
+ }
+ 
++static const char *
++setup_query_separator (cmd_parms *cmd, void *cfg, const char *param)
++{
++  if (strcmp(param, ";") != 0 && strcmp(param, "&") != 0)
++    return "QuerySeparator must be either ';' or '&'.";
++  auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
++  conf->query_separator = param;
++  return NULL;
++}
++
+ void
+ setup_digest_sz (auth_tkt_serv_conf *sconf)
+ {
+@@ -355,10 +369,10 @@ setup_digest_sz (auth_tkt_serv_conf *sconf)
+ static const char *
+ setup_digest_type (cmd_parms *cmd, void *cfg, const char *param)
+ {
+-  auth_tkt_serv_conf *sconf = 
++  auth_tkt_serv_conf *sconf =
+     ap_get_module_config(cmd->server->module_config, &auth_tkt_module);
+ 
+-  if (strcmp(param, "MD5") != 0 && 
++  if (strcmp(param, "MD5") != 0 &&
+       strcmp(param, "SHA256") != 0 &&
+       strcmp(param, "SHA512") != 0)
+     return "Digest type must be one of: MD5 | SHA256 | SHA512.";
+@@ -391,7 +405,7 @@ set_cookie_expires (cmd_parms *cmd, void *cfg, const char *param)
+   if (seconds == INT_MAX) return ("Integer overflow or invalid number");
+ 
+   conf->cookie_expires = seconds;
+-  
++
+   return NULL;
+ }
+ 
+@@ -399,90 +413,93 @@ static const char *
+ set_auth_tkt_debug (cmd_parms *cmd, void *cfg, const char *param)
+ {
+   auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
+-  
++
+   int debug = atoi(param);
+-  
++
+   if (debug < 0)        return ("Debug level must be positive");
+   if (debug == INT_MAX) return ("Integer overflow or invalid number");
+-  
++
+   conf->debug = debug;
+-  
++
+   return NULL;
+ }
+ 
+ /* Command table */
+ static const command_rec auth_tkt_cmds[] =
+ {
+-  AP_INIT_TAKE1("TKTAuthLoginURL", ap_set_string_slot, 
++  AP_INIT_TAKE1("TKTAuthLoginURL", ap_set_string_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, login_url),
+     OR_AUTHCFG, "URL to redirect to if authentication fails"),
+-  AP_INIT_TAKE1("TKTAuthTimeoutURL", ap_set_string_slot, 
++  AP_INIT_TAKE1("TKTAuthTimeoutURL", ap_set_string_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, timeout_url),
+     OR_AUTHCFG, "URL to redirect to if cookie times-out"),
+-  AP_INIT_TAKE1("TKTAuthPostTimeoutURL", ap_set_string_slot, 
++  AP_INIT_TAKE1("TKTAuthPostTimeoutURL", ap_set_string_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, post_timeout_url),
+     OR_AUTHCFG, "URL to redirect to if cookie times-out doing a POST"),
+-  AP_INIT_TAKE1("TKTAuthUnauthURL", ap_set_string_slot, 
++  AP_INIT_TAKE1("TKTAuthUnauthURL", ap_set_string_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, unauth_url),
+     OR_AUTHCFG, "URL to redirect to if valid user without required token"),
+-  AP_INIT_TAKE1("TKTAuthCookieName", ap_set_string_slot, 
++  AP_INIT_TAKE1("TKTAuthCookieName", ap_set_string_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, auth_cookie_name),
+     OR_AUTHCFG, "name to use for ticket cookie"),
+-  AP_INIT_TAKE1("TKTAuthDomain", ap_set_string_slot, 
++  AP_INIT_TAKE1("TKTAuthDomain", ap_set_string_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, auth_domain),
+     OR_AUTHCFG, "domain to use in cookies"),
+ #ifndef APACHE13
+   /* TKTAuthCookieExpires is not supported under Apache 1.3 */
+-  AP_INIT_ITERATE("TKTAuthCookieExpires", set_cookie_expires, 
++  AP_INIT_ITERATE("TKTAuthCookieExpires", set_cookie_expires,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, cookie_expires),
+     OR_AUTHCFG, "cookie expiry period, in seconds or units [smhdwMy]"),
+ #endif
+-  AP_INIT_TAKE1("TKTAuthBackCookieName", ap_set_string_slot, 
++  AP_INIT_TAKE1("TKTAuthBackCookieName", ap_set_string_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, back_cookie_name),
+-    OR_AUTHCFG, "name to use for back cookie (NULL for none)"),
+-  AP_INIT_TAKE1("TKTAuthBackArgName", ap_set_string_slot, 
++    OR_AUTHCFG, "name to use for back cookie (default: none)"),
++  AP_INIT_TAKE1("TKTAuthBackArgName", ap_set_string_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, back_arg_name),
+-    OR_AUTHCFG, "name to use for back url argument (NULL for none)"),
+-  AP_INIT_FLAG("TKTAuthIgnoreIP", ap_set_flag_slot, 
++    OR_AUTHCFG, "name to use for back url argument ('None' to not use)"),
++  AP_INIT_FLAG("TKTAuthIgnoreIP", ap_set_flag_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, ignore_ip),
+     OR_AUTHCFG, "whether to ignore remote IP address in ticket"),
+-  AP_INIT_FLAG("TKTAuthRequireSSL", ap_set_flag_slot, 
++  AP_INIT_FLAG("TKTAuthRequireSSL", ap_set_flag_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, require_ssl),
+     OR_AUTHCFG, "whether to refuse non-HTTPS requests"),
+-  AP_INIT_FLAG("TKTAuthCookieSecure", ap_set_flag_slot, 
++  AP_INIT_FLAG("TKTAuthCookieSecure", ap_set_flag_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, secure_cookie),
+     OR_AUTHCFG, "whether to set secure flag on ticket cookies"),
+-  AP_INIT_ITERATE("TKTAuthToken", set_auth_tkt_token, 
++  AP_INIT_ITERATE("TKTAuthToken", set_auth_tkt_token,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, auth_token),
+     OR_AUTHCFG, "token required to access this area (NULL for none)"),
+-  AP_INIT_ITERATE("TKTAuthTimeout", set_auth_tkt_timeout, 
++  AP_INIT_ITERATE("TKTAuthTimeout", set_auth_tkt_timeout,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, timeout_sec),
+     OR_AUTHCFG, "ticket inactivity timeout, in seconds or units [smhdwMy]"),
+-  AP_INIT_TAKE1("TKTAuthTimeoutMin", set_auth_tkt_timeout_min, 
++  AP_INIT_TAKE1("TKTAuthTimeoutMin", set_auth_tkt_timeout_min,
+     NULL, OR_AUTHCFG, "ticket inactivity timeout, in minutes (deprecated)"),
+-  AP_INIT_TAKE1("TKTAuthTimeoutRefresh", set_auth_tkt_timeout_refresh, 
++  AP_INIT_TAKE1("TKTAuthTimeoutRefresh", set_auth_tkt_timeout_refresh,
+     NULL, OR_AUTHCFG, "ticket timeout refresh flag (0-1)"),
+-  AP_INIT_TAKE1("TKTAuthSecret", setup_secret, 
++  AP_INIT_TAKE1("TKTAuthSecret", setup_secret,
+     NULL, RSRC_CONF, "secret key to use in digest"),
+-  AP_INIT_TAKE1("TKTAuthSecretOld", setup_old_secret, 
++  AP_INIT_TAKE1("TKTAuthSecretOld", setup_old_secret,
+     NULL, RSRC_CONF, "old/alternative secret key to check in digests"),
+-  AP_INIT_TAKE1("TKTAuthDigestType", setup_digest_type, 
+-    NULL, RSRC_CONF, "digest type to use [MD5|SHA256|SHA512], default MD5"),
++  AP_INIT_TAKE1("TKTAuthDigestType", setup_digest_type,
++    NULL, RSRC_CONF, "digest type to use [MD5|SHA256|SHA512], default: MD5"),
+   AP_INIT_FLAG("TKTAuthGuestLogin", ap_set_flag_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_login),
+     OR_AUTHCFG, "whether to log people in as guest if no other auth available"),
+   AP_INIT_FLAG("TKTAuthGuestCookie", ap_set_flag_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_cookie),
+-    OR_AUTHCFG, "whether to set a cookie when accepting guest users (default off)"),
+-  AP_INIT_TAKE1("TKTAuthGuestUser", ap_set_string_slot, 
++    OR_AUTHCFG, "whether to set a cookie when accepting guest users (default: off)"),
++  AP_INIT_TAKE1("TKTAuthGuestUser", ap_set_string_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_user),
+     OR_AUTHCFG, "username to use for guest logins"),
+   AP_INIT_FLAG("TKTAuthGuestFallback", ap_set_flag_slot,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_fallback),
+-    OR_AUTHCFG, "whether to fall back to guest on an expired ticket (default off)"),
+-  AP_INIT_ITERATE("TKTAuthDebug", set_auth_tkt_debug, 
++    OR_AUTHCFG, "whether to fall back to guest on an expired ticket (default: off)"),
++  AP_INIT_ITERATE("TKTAuthDebug", set_auth_tkt_debug,
+     (void *)APR_OFFSETOF(auth_tkt_dir_conf, debug),
+     OR_AUTHCFG, "debug level (1-3, higher for more debug output)"),
++  AP_INIT_TAKE1("TKTAuthQuerySeparator", setup_query_separator,
++    (void *)APR_OFFSETOF(auth_tkt_dir_conf, query_separator),
++    OR_AUTHCFG, "Character used in query strings to separate arguments (default: ';')"),
+   {NULL},
+ };
+ 
+@@ -490,28 +507,28 @@ static const command_rec auth_tkt_cmds[] =
+ /* Support functions */
+ 
+ /* Parse cookie. Returns 1 if valid, and details in *parsed; 0 if not */
+-static int 
++static int
+ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+ {
+   int sepidx, sep2idx;
+   char *ticket = *magic;
+   int len = strlen(ticket);
+-  auth_tkt_serv_conf *sconf = 
++  auth_tkt_serv_conf *sconf =
+     ap_get_module_config(r->server->module_config, &auth_tkt_module);
+-  auth_tkt_dir_conf *conf = 
++  auth_tkt_dir_conf *conf =
+     ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+-  
++
+   /* For some reason (some clients?), tickets sometimes come in quoted */
+   if (ticket[len-1] == '"') ticket[len-1] = 0;
+   if (ticket[0] == '"') *magic = ++ticket;
+ 
+   /* Basic length check for min size */
+   if (len <= (sconf->digest_sz + TSTAMP_SZ))
+-    return 0; 
+-  
++    return 0;
++
+   /* See if there is a uid/data separator */
+   sepidx = ap_ind(ticket, SEPARATOR);
+-  if (sepidx == -1) {	
++  if (sepidx == -1) {    
+     /* Ticket either uri-escaped, base64-escaped, or bogus */
+     if (strstr(ticket, SEPARATOR_HEX)) {
+       ap_unescape_url(ticket);
+@@ -519,7 +536,7 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+     }
+     else {
+       /* base64 encoded string always longer than original, so len+1 sufficient */
+-      char *buf = (char *) apr_palloc(r->pool, len+1);  
++      char *buf = (char *) apr_palloc(r->pool, len+1);
+       apr_base64_decode(buf, ticket);
+       sepidx = ap_ind(buf, SEPARATOR);
+       /* If still no sepidx, must be bogus */
+@@ -532,26 +549,26 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+   }
+ 
+   /* Recheck length */
+-  if (len <= (sconf->digest_sz + TSTAMP_SZ) || 
+-      sepidx < (sconf->digest_sz + TSTAMP_SZ)) 
+-    return 0; 
++  if (len <= (sconf->digest_sz + TSTAMP_SZ) ||
++      sepidx < (sconf->digest_sz + TSTAMP_SZ))
++    return 0;
+ 
+   if (conf->debug >= 1) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+       "TKT parse_ticket decoded ticket: '%s'", ticket);
+   }
+-  
++
+   /* Get the user id */
+   parsed->uid = apr_palloc(r->pool, sepidx - (sconf->digest_sz + TSTAMP_SZ) + 1);
+-  memcpy(parsed->uid, &ticket[(sconf->digest_sz + TSTAMP_SZ)], 
++  memcpy(parsed->uid, &ticket[(sconf->digest_sz + TSTAMP_SZ)],
+     sepidx - (sconf->digest_sz + TSTAMP_SZ));
+   parsed->uid[sepidx - (sconf->digest_sz + TSTAMP_SZ)] = '\0';
+-  
++
+   /* Check for tokens */
+   sep2idx = ap_ind(&ticket[sepidx+1], SEPARATOR);
+   if (sep2idx == -1) {
+     if (conf->debug >= 2) {
+-      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+          "TKT parse_ticket: no tokens");
+     }
+     parsed->tokens = apr_palloc(r->pool, 1);
+@@ -563,15 +580,15 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+     sepidx = tmp + sep2idx + 1;
+     sep2idx = tmp;
+     if (conf->debug >= 2) {
+-      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
+-        "TKT parse_ticket: tokens found - sep2=%d, sep=%d, len=%d", 
+-	sep2idx, sepidx, len);
++      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++        "TKT parse_ticket: tokens found - sep2=%d, sep=%d, len=%d",
++    sep2idx, sepidx, len);
+     }
+     /* Copy tokens to parsed->tokens */
+     parsed->tokens = apr_palloc(r->pool, sepidx-sep2idx);
+     apr_snprintf(parsed->tokens, sepidx-sep2idx, "%s", &ticket[sep2idx+1]);
+     if (conf->debug >= 2) {
+-      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+         "TKT parse_ticket tokens: '%s'", parsed->tokens);
+     }
+   }
+@@ -579,25 +596,25 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+   /* Copy user data to parsed->user_data */
+   parsed->user_data = apr_palloc(r->pool, len-sepidx+1);
+   apr_snprintf(parsed->user_data, len-sepidx+1, "%s", &ticket[sepidx+1]);
+-  
++
+   /* Copy timestamp to parsed->timestamp */
+   sscanf(&ticket[sconf->digest_sz], "%8x", &(parsed->timestamp));
+-  
++
+   return 1;
+ }
+ 
+ /* Search cookie headers for our ticket */
+-static int 
++static int
+ cookie_match(void *result, const char *key, const char *cookie)
+ {
+   cookie_res * cr = (cookie_res *) result;
+-  auth_tkt_dir_conf *conf = 
++  auth_tkt_dir_conf *conf =
+     ap_get_module_config(cr->r->per_dir_config, &auth_tkt_module);
+-  
++
+   if (cookie != NULL) {
+     char *cookie_name, *value, *cookiebuf, *end;
+     if (conf->debug >= 2) {
+-      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r, 
++      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r,
+         "TKT cookie_match, key %s against <%s> (name=%s)",
+         key, cookie, cr->cookie_name);
+     }
+@@ -623,7 +640,7 @@ cookie_match(void *result, const char *key, const char *cookie)
+       if (strlen(cookiebuf)) {
+         cr->cookie = cookiebuf;
+         if (conf->debug >= 1) {
+-          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r, 
++          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r,
+             "TKT cookie_match: found '%s'", cookiebuf);
+         }
+         return(0);
+@@ -631,7 +648,7 @@ cookie_match(void *result, const char *key, const char *cookie)
+     }
+   }
+   if (conf->debug >= 2) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r, 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r,
+      "TKT cookie_match: NOT found");
+   }
+   return (1);
+@@ -639,7 +656,7 @@ cookie_match(void *result, const char *key, const char *cookie)
+ 
+ /* Return the domain to use in cookies */
+ char *
+-get_domain(request_rec *r, auth_tkt_dir_conf *conf) 
++get_domain(request_rec *r, auth_tkt_dir_conf *conf)
+ {
+   /* Set the cookie domain to the first set of TKTAuthDomain,
+      X-Forwarded-Host, Host, or server hostname. Viljo Viitanen
+@@ -665,7 +682,7 @@ get_domain(request_rec *r, auth_tkt_dir_conf *conf)
+ static void
+ send_auth_cookie(request_rec *r, char *value)
+ {
+-  auth_tkt_dir_conf *conf = 
++  auth_tkt_dir_conf *conf =
+     ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+   char *cookie, *expires;
+   char *domain = get_domain(r,conf);
+@@ -679,12 +696,12 @@ send_auth_cookie(request_rec *r, char *value)
+ #ifndef APACHE13
+   if (conf->cookie_expires > 0) {
+     apr_time_exp_t tms;
+-    apr_time_exp_gmt(&tms, r->request_time + 
++    apr_time_exp_gmt(&tms, r->request_time +
+       apr_time_from_sec(conf->cookie_expires));
+-    expires = 
++    expires =
+       apr_psprintf(r->pool, "; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT",
+         apr_day_snames[tms.tm_wday],
+-        tms.tm_mday, 
++        tms.tm_mday,
+         apr_month_snames[tms.tm_mon],
+         tms.tm_year % 100,
+         tms.tm_hour, tms.tm_min, tms.tm_sec
+@@ -693,12 +710,12 @@ send_auth_cookie(request_rec *r, char *value)
+ #endif
+ 
+   /* Send the cookie */
+-  cookie = apr_psprintf(r->pool, "%s=%s; path=/%s%s%s", 
++  cookie = apr_psprintf(r->pool, "%s=%s; path=/%s%s%s",
+     conf->auth_cookie_name, value, domain, expires, secure_cookie);
+   apr_table_setn(r->err_headers_out, "Set-Cookie", cookie);
+ 
+   if (conf->debug >= 1) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+       "TKT: sending cookie: %s=%s; path=/%s%s%s",
+         conf->auth_cookie_name, value, domain, expires, secure_cookie);
+   }
+@@ -708,7 +725,7 @@ send_auth_cookie(request_rec *r, char *value)
+ static char *
+ get_url_ticket(request_rec *r)
+ {
+-  auth_tkt_dir_conf *conf = 
++  auth_tkt_dir_conf *conf =
+     ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+   const char *args = NULL;  /* url arguments string  */
+   const char *key, *val;
+@@ -717,12 +734,12 @@ get_url_ticket(request_rec *r)
+   /* Use main request args if subrequest */
+   request_rec *r_main = r->main == NULL ? r : r->main;
+   if (r_main->args != NULL) {
+-    args = apr_pstrdup(r->pool, r_main->args); 
++    args = apr_pstrdup(r->pool, r_main->args);
+   }
+ 
+   if (args != NULL) {
+     if (conf->debug >= 1) {
+-      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+         "TKT: looking for ticket in url: <%s>", args);
+     }
+ 
+@@ -731,12 +748,12 @@ get_url_ticket(request_rec *r)
+ 
+       if (strcmp(key,conf->auth_cookie_name) == 0) {
+         if (conf->debug >= 1) {
+-          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+             "TKT: found url ticket: <%s>", val);
+         }
+ 
+         /* Setup auth cookie using ticket value */
+-        send_auth_cookie(r, (char *) val); 
++        send_auth_cookie(r, (char *) val);
+ 
+         /* Found ticket - ignore rest of arguments */
+         ticket = (char *) val;
+@@ -749,12 +766,12 @@ get_url_ticket(request_rec *r)
+ }
+ 
+ /* Look for a cookie ticket */
+-static char * 
++static char *
+ get_cookie_ticket(request_rec *r)
+ {
+-  auth_tkt_serv_conf *sconf = 
++  auth_tkt_serv_conf *sconf =
+     ap_get_module_config(r->server->module_config, &auth_tkt_module);
+-  auth_tkt_dir_conf *conf = 
++  auth_tkt_dir_conf *conf =
+     ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+ 
+   /* Walk cookie headers looking for matching ticket */
+@@ -770,7 +787,7 @@ get_cookie_ticket(request_rec *r)
+   }
+   if (strlen(cr->cookie) < sconf->digest_sz + TSTAMP_SZ) {
+     if (conf->debug >= 1) {
+-      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+         "TKT get_cookie_tkt: found cookie ticket, "
+         "but it's too short for a %s digest (%zu < %d)",
+         sconf->digest_type, strlen(cr->cookie), sconf->digest_sz + TSTAMP_SZ);
+@@ -782,18 +799,18 @@ get_cookie_ticket(request_rec *r)
+ }
+ 
+ /* Generate a ticket digest string from the given details */
+-static char * 
++static char *
+ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const char *secret)
+ {
+-  auth_tkt_serv_conf *sconf = 
++  auth_tkt_serv_conf *sconf =
+     ap_get_module_config(r->server->module_config, &auth_tkt_module);
+-  auth_tkt_dir_conf *conf = 
++  auth_tkt_dir_conf *conf =
+     ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+   char *uid = parsed->uid;
+   char *tokens = parsed->tokens;
+   char *user_data = parsed->user_data;
+ 
+-  unsigned char *buf = apr_palloc(r->pool, 
++  unsigned char *buf = apr_palloc(r->pool,
+     TSTAMP_SZ + strlen(secret) + strlen(uid) + 1 + strlen(tokens) + 1 + strlen(user_data) + 1);
+   unsigned char *buf2 = apr_palloc(r->pool, sconf->digest_sz + strlen(secret));
+   int len = 0;
+@@ -812,7 +829,7 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch
+   if (timestamp == 0) timestamp = parsed->timestamp;
+ 
+   if (conf->debug >= 2) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+       "TKT ticket_digest: using secret '%s', ip '%s', ts '%d'", secret, remote_ip, timestamp);
+   }
+ 
+@@ -824,13 +841,13 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch
+   buf[0] = (unsigned char ) ((ip & 0xff000000) >> 24);
+   buf[1] = (unsigned char ) ((ip & 0xff0000) >> 16);
+   buf[2] = (unsigned char ) ((ip & 0xff00) >> 8);
+-  buf[3] = (unsigned char ) ((ip & 0xff));  
+-  buf[4] = (unsigned char ) ((timestamp	& 0xff000000) >> 24);
+-  buf[5] = (unsigned char ) ((timestamp	& 0xff0000) >> 16);
+-  buf[6] = (unsigned char ) ((timestamp	& 0xff00) >> 8);
+-  buf[7] = (unsigned char ) ((timestamp	& 0xff));  
++  buf[3] = (unsigned char ) ((ip & 0xff));
++  buf[4] = (unsigned char ) ((timestamp    & 0xff000000) >> 24);
++  buf[5] = (unsigned char ) ((timestamp    & 0xff0000) >> 16);
++  buf[6] = (unsigned char ) ((timestamp    & 0xff00) >> 8);
++  buf[7] = (unsigned char ) ((timestamp    & 0xff));
+   len = 8;
+-  
++
+   /* Append remaining components to buf */
+   strcpy((char *)&buf[len], secret);
+   len += strlen(secret);
+@@ -857,7 +874,7 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch
+     digest = ap_md5_binary(r->pool, buf, len);
+   }
+   if (conf->debug >= 3) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+       "TKT ticket_digest: digest0: '%s' (input length %d)", digest, len);
+   }
+ 
+@@ -879,7 +896,7 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch
+     digest = ap_md5_binary(r->pool, buf2, len);
+   }
+   if (conf->debug >= 3) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+       "TKT ticket_digest: digest: '%s'", digest);
+   }
+ 
+@@ -897,21 +914,21 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+   char *digest;
+   auth_tkt_serv_conf *sconf =
+     ap_get_module_config(r->server->module_config, &auth_tkt_module);
+-  auth_tkt_dir_conf *conf = 
++  auth_tkt_dir_conf *conf =
+     ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+ 
+   /* Attempt to parse ticket */
+   if (! parse_ticket(r, &ticket, parsed)) {
+     if (conf->debug >= 1) {
+-      ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r, 
++      ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
+         "TKT valid_ticket: unparseable %s ticket found ('%s')", source, ticket);
+     }
+     return 0;
+   }
+ 
+   if (conf->debug >= 1) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
+-      "TKT valid_ticket: (parsed) uid '%s', tokens '%s', user_data '%s', ts '%d'", 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++      "TKT valid_ticket: (parsed) uid '%s', tokens '%s', user_data '%s', ts '%d'",
+       parsed->uid, parsed->tokens, parsed->user_data, parsed->timestamp);
+   }
+ 
+@@ -921,9 +938,9 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+ 
+     /* Digest mismatch - if no old secret set, fail */
+     if(sconf->old_secret == NULL) {
+-      ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r, 
++      ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
+         "TKT valid_ticket: ticket hash (current secret) is invalid, and no old secret set "
+-        "- digest '%s', ticket '%s'", 
++        "- digest '%s', ticket '%s'",
+         digest, ticket);
+       return 0;
+     }
+@@ -931,13 +948,13 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+     /* Digest mismatch - if old_secret is set, recalculate using that */
+     else {
+       if (conf->debug >= 1) {
+-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+           "TKT valid_ticket: ticket hash (current secret) is invalid, but old_secret is set - checking ticket digest against that");
+       }
+       digest = ticket_digest(r, parsed, 0, sconf->old_secret);
+       if (memcmp(ticket, digest, sconf->digest_sz) != 0) {
+-        ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r, 
+-          "TKT valid_ticket: ticket hash (old secret) is also invalid - digest '%s', ticket '%s'", 
++        ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
++          "TKT valid_ticket: ticket hash (old secret) is also invalid - digest '%s', ticket '%s'",
+           digest, ticket);
+         return 0;
+       }
+@@ -946,7 +963,7 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+       else {
+         if (force_refresh != NULL) {
+           if (conf->debug >= 1) {
+-            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+               "TKT valid_ticket: ticket_digest validated with old_secret - forcing a cookie refresh");
+           }
+           *force_refresh = 1;
+@@ -958,31 +975,31 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+   return 1;
+ }
+ 
+-/* Check for required auth tokens 
++/* Check for required auth tokens
+  * Returns 1 on success, 0 on failure */
+ static int
+ check_tokens(request_rec *r, char *tokens)
+ {
+-  auth_tkt_dir_conf *conf = 
++  auth_tkt_dir_conf *conf =
+     ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+   char *next_parsed_token;
+   const char *t = NULL;
+-  int match = 0; 
++  int match = 0;
+ 
+   /* Success if no tokens required */
+-  if (conf->auth_token->nelts == 0 || 
++  if (conf->auth_token->nelts == 0 ||
+       strcmp(((char **) conf->auth_token->elts)[0], "NULL") == 0) {
+     return 1;
+   }
+   /* Failure if required and no user tokens found */
+   if (tokens == NULL || strlen(tokens) == 0) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+       "TKT: no matching tokens! (no user tokens found)");
+     return 0;
+   }
+ 
+-  t = apr_pstrdup(r->pool, tokens); 
+-  
++  t = apr_pstrdup(r->pool, tokens);
++
+   while (*t && (next_parsed_token = ap_getword(r->pool, &t, ','))) {
+     char ** auth_tokens = (char **) conf->auth_token->elts;
+     int i;
+@@ -990,16 +1007,16 @@ check_tokens(request_rec *r, char *tokens)
+     for (i=0; i < conf->auth_token->nelts; i++) {
+       int token_len = strlen(auth_tokens[i]);
+       if (strncmp(auth_tokens[i], next_parsed_token, token_len) == 0 &&
+-	  next_parsed_token[token_len] == 0) {
+-	match = 1;
+-	break;
++      next_parsed_token[token_len] == 0) {
++    match = 1;
++    break;
+       }
+     }
+     if (match) break;
+   }
+ 
+   if (conf->debug >= 1 && ! match) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+       "TKT: no matching tokens! (user tokens '%s')", tokens);
+   }
+ 
+@@ -1010,24 +1027,24 @@ check_tokens(request_rec *r, char *tokens)
+ static void
+ refresh_cookie(request_rec *r, auth_tkt *parsed, int timeout, int force_flag)
+ {
+-  auth_tkt_serv_conf *sconf = 
++  auth_tkt_serv_conf *sconf =
+     ap_get_module_config(r->server->module_config, &auth_tkt_module);
+-  auth_tkt_dir_conf *conf = 
++  auth_tkt_dir_conf *conf =
+     ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+ 
+   /* The timeout refresh is a double between 0 and 1, signifying what
+-   * proportion of the timeout should be left before we refresh i.e. 
++   * proportion of the timeout should be left before we refresh i.e.
+    * 0 means never refresh (hard timeouts); 1 means always refresh;
+-   * .33 means only refresh if less than a third of the timeout 
+-   * period remains. */ 
++   * .33 means only refresh if less than a third of the timeout
++   * period remains. */
+   unsigned int now = time(NULL);
+   int remainder = parsed->timestamp + timeout - now;
+   double refresh_sec = conf->timeout_refresh * timeout;
+ 
+   if (conf->debug >= 1) {
+-    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, 
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+       "TKT refresh_cookie: timeout %d, refresh %.3f, remainder %d, refresh_sec %.3f, force_flag %d",
+-	timeout, conf->timeout_refresh, remainder, refresh_sec, force_flag);
++    timeout, conf->timeout_refresh, remainder, refresh_sec, force_flag);
+   }
+ 
+   /* If less than our refresh_sec threshold, freshen the cookie */
+@@ -1036,29 +1053,29 @@ refresh_cookie(request_rec *r, auth_tkt *parsed, int timeout, int force_flag)
+     char *digest = ticket_digest(r, parsed, now, sconf->secret);
+     if (parsed->tokens) {
+       ticket = apr_psprintf(r->pool,
+-        "%s%08x%s%c%s%c%s", 
+-          digest, now, parsed->uid, 
+-	  SEPARATOR, parsed->tokens, 
+-	  SEPARATOR, parsed->user_data);
++        "%s%08x%s%c%s%c%s",
++          digest, now, parsed->uid,
++      SEPARATOR, parsed->tokens,
++      SEPARATOR, parsed->user_data);

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210251515.q9PFFq8x086051>