From owner-svn-ports-all@FreeBSD.ORG Thu Oct 25 15:15:53 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 38FEDC0D; Thu, 25 Oct 2012 15:15:53 +0000 (UTC) (envelope-from kuriyama@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 178DD8FC14; Thu, 25 Oct 2012 15:15:53 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q9PFFrY0086054; Thu, 25 Oct 2012 15:15:53 GMT (envelope-from kuriyama@svn.freebsd.org) Received: (from kuriyama@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q9PFFq8x086051; Thu, 25 Oct 2012 15:15:52 GMT (envelope-from kuriyama@svn.freebsd.org) Message-Id: <201210251515.q9PFFq8x086051@svn.freebsd.org> From: Jun Kuriyama Date: Thu, 25 Oct 2012 15:15:52 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r306385 - in head/www/mod_auth_tkt: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2012 15:15:53 -0000 Author: kuriyama Date: Thu Oct 25 15:15:52 2012 New Revision: 306385 URL: http://svn.freebsd.org/changeset/ports/306385 Log: - Add option to use TKTAuthQuerySeparator directive. Obtained from: https://github.com/gavincarr/mod_auth_tkt Feature safe: yes Added: head/www/mod_auth_tkt/files/ head/www/mod_auth_tkt/files/extra-patch-query-separator (contents, props changed) Modified: head/www/mod_auth_tkt/Makefile Modified: head/www/mod_auth_tkt/Makefile ============================================================================== --- head/www/mod_auth_tkt/Makefile Thu Oct 25 14:31:01 2012 (r306384) +++ head/www/mod_auth_tkt/Makefile Thu Oct 25 15:15:52 2012 (r306385) @@ -3,6 +3,7 @@ PORTNAME= mod_auth_tkt PORTVERSION= 2.1.0 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_LOCAL} \ http://www.openfusion.com.au/labs/dist/mod_auth_tkt/ @@ -13,12 +14,24 @@ COMMENT= Lightweight single-sign-on auth USE_APACHE= 22 WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}/src +PATCH_WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} +PATCH_STRIP= -p1 AP_FAST_BUILD= yes SRC_FILE= ${PORTNAME}.c sha2.c AP_EXTRAS= -DAPACHE22 MAN3= mod_auth_tkt.3 +OPTIONS_DEFINE= QUERY_SEP +QUERY_SEP_DESC= Experimental TKTAuthQuerySeparator directive +OPTIONS_DEFAULT=QUERY_SEP + +.include + +.if ${PORT_OPTIONS:MQUERY_SEP} +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-query-separator +.endif + post-patch: ${REINPLACE_CMD} -e 's|.usr/share/man|${PREFIX}/man|' ${WRKSRC}/../Makedefs Added: head/www/mod_auth_tkt/files/extra-patch-query-separator ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/mod_auth_tkt/files/extra-patch-query-separator Thu Oct 25 15:15:52 2012 (r306385) @@ -0,0 +1,1454 @@ +diff --git a/cgi/logout.cgi b/cgi/logout.cgi +index b2a830c..41fa7e1 100755 +--- a/cgi/logout.cgi ++++ b/cgi/logout.cgi +@@ -33,16 +33,19 @@ $back ||= $q->cookie($at->back_cookie_name) if $at->back_cookie_name; + $back ||= $q->param($at->back_arg_name) if $at->back_arg_name; + $back = $AuthTktConfig::DEFAULT_BACK_LOCATION if $AuthTktConfig::DEFAULT_BACK_LOCATION; + $back ||= $ENV{HTTP_REFERER} if $ENV{HTTP_REFERER} && $AuthTktConfig::BACK_REFERER; +-if ($back && $back =~ m!^/!) { +- my $hostname = $server_name; +- my $port = $server_port; +- $hostname .= ':' . $port if $port && $port != 80 && $port != 443; +- $back = sprintf "http%s://%s%s", ($port == 443 ? 's' : ''), $hostname, $back; +-} elsif ($back && $back !~ m/^http/i) { +- $back = 'http://' . $back; ++my $back_html = ''; ++if ($back) { ++ if ($back =~ m!^/!) { ++ my $hostname = $server_name; ++ my $port = $server_port; ++ $hostname .= ':' . $port if $port && $port != 80 && $port != 443; ++ $back = sprintf "http%s://%s%s", ($port == 443 ? 's' : ''), $hostname, $back; ++ } elsif ($back !~ m/^http/i) { ++ $back = 'http://' . $back; ++ } ++ $back = uri_unescape($back) if $back =~ m/^https?%3A%2F%2F/; ++ $back_html = escapeHTML($back); + } +-$back = uri_unescape($back) if $back =~ m/^https?%3A%2F%2F/; +-my $back_html = escapeHTML($back) if $back; + + # Logout by resetting the auth cookie + my @cookies = cookie(-name => $at->cookie_name, -value => '', -expires => '-1h', +diff --git a/conf/auth_tkt_cgi.conf b/conf/auth_tkt_cgi.conf +index e2546bc..e969c44 100644 +--- a/conf/auth_tkt_cgi.conf ++++ b/conf/auth_tkt_cgi.conf +@@ -13,6 +13,9 @@ + # Digest type to use - default is MD5, alternatives are SHA256 or SHA512 + #TKTAuthDigestType MD5 + ++# Query separator for generated URLs. Defaults to semi-colon (';') ++#TKTAuthQuerySeparator & ++ + # Used by sample CGI scripts to locate this config file + SetEnv MOD_AUTH_TKT_CONF "/etc/httpd/conf.d/auth_tkt_cgi.conf" + +diff --git a/doc/mod_auth_tkt.pod b/doc/mod_auth_tkt.pod +index dd7d85c..edf0590 100644 +--- a/doc/mod_auth_tkt.pod ++++ b/doc/mod_auth_tkt.pod +@@ -227,7 +227,9 @@ the ticket hashing, so you should always set a TKTAuthTimeout in + addition to using an expiry. Cookie expiries are refreshed with + tickets if TKTAuthTimeoutRefresh is set. + +-Default: none. Examples: ++Default: none (not used). ++ ++e.g. + + TKTAuthCookieExpires 86400 + TKTAuthCookieExpires 1w +@@ -245,6 +247,11 @@ http://www.example.com/index.html and TKTAuthBackArgName is set to + + to the TKTAuthLoginURL it redirects to, allowing your login script + to redirect back to the requested page upon successful login. ++ ++To omit altogether, set to the string B i.e. ++ ++ TKTAuthBackArgName None ++ + Default: 'back'. + + =item TKTAuthBackCookieName +@@ -252,7 +259,9 @@ Default: 'back'. + The cookie name to use for the back cookie. If this is set, + mod_auth_tkt will set a back cookie containing a URI-escaped version + of current requested page when redirecting (see TKTAuthBackArgName +-above). Default: none. ++above), instead of using a GET parameter. ++ ++Default: none (not used). + + =item TKTAuthToken + +@@ -267,7 +276,9 @@ Note that this directive can be repeated, and the semantics are that + B of the required tokens is sufficient for access i.e. the tokens + are ORed. + +-Default: none. e.g. ++Default: none (not used). ++ ++e.g. + + TKTAuthToken finance + TKTAuthToken admin +@@ -281,8 +292,12 @@ this as well, setting the client IP address to 0.0.0.0). This is + often required out on the open internet, especially if you are + using an HTTPS login page (as you should) and are dealing with + more than a handful of users (the typical problem being +-transparent HTTP proxies at ISPs). Default: 'off' i.e. ticket +-is only valid from the originating IP address. e.g. ++transparent HTTP proxies at ISPs). ++ ++Default: 'off' i.e. ticket is only valid from the originating ++IP address. ++ ++e.g. + + TKTAuthIgnoreIP on + +diff --git a/src/mod_auth_tkt.c b/src/mod_auth_tkt.c +index c2609e9..74bb669 100644 +--- a/src/mod_auth_tkt.c ++++ b/src/mod_auth_tkt.c +@@ -38,6 +38,7 @@ + #define REMOTE_USER_TOKENS_ENV "REMOTE_USER_TOKENS" + #define DEFAULT_TIMEOUT_SEC 7200 + #define DEFAULT_GUEST_USER "guest" ++#define QUERY_SEPARATOR ';' + + #define FORCE_REFRESH 1 + #define CHECK_REFRESH 0 +@@ -68,6 +69,7 @@ typedef struct { + char *guest_user; + int guest_fallback; + int debug; ++ const char *query_separator; + } auth_tkt_dir_conf; + + /* Per-server configuration */ +@@ -99,24 +101,24 @@ void + auth_tkt_version(server_rec *s, pool *p) + { + ap_add_version_component("mod_auth_tkt/" TKT_AUTH_VERSION); +- ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s, ++ ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s, + "mod_auth_tkt: version %s", TKT_AUTH_VERSION); + } + + #else + static int +-auth_tkt_version(apr_pool_t *p, ++auth_tkt_version(apr_pool_t *p, + apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) + { + ap_add_version_component(p, "mod_auth_tkt/" TKT_AUTH_VERSION); +- ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s, ++ ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s, + "mod_auth_tkt: version %s", TKT_AUTH_VERSION); + return DECLINED; + } + #endif + + /* Create per-dir config structures */ +-static void * ++static void * + create_auth_tkt_config(apr_pool_t *p, char* path) + { + auth_tkt_dir_conf *conf = apr_palloc(p, sizeof(*conf)); +@@ -142,11 +144,12 @@ create_auth_tkt_config(apr_pool_t *p, char* path) + conf->guest_user = NULL; + conf->guest_fallback = -1; + conf->debug = -1; +- return conf; ++ conf->query_separator = (char *)QUERY_SEPARATOR; ++ return conf; + } + + /* Merge per-dir config structures */ +-static void * ++static void * + merge_auth_tkt_config(apr_pool_t *p, void* parent_dirv, void* subdirv) + { + auth_tkt_dir_conf *parent = (auth_tkt_dir_conf *) parent_dirv; +@@ -174,6 +177,7 @@ merge_auth_tkt_config(apr_pool_t *p, void* parent_dirv, void* subdirv) + conf->guest_user = (subdir->guest_user) ? subdir->guest_user : parent->guest_user; + conf->guest_fallback = (subdir->guest_fallback >= 0) ? subdir->guest_fallback : parent->guest_fallback; + conf->debug = (subdir->debug >= 0) ? subdir->debug : parent->debug; ++ conf->query_separator = (subdir->query_separator) ? subdir->query_separator : parent->query_separator; + + return conf; + } +@@ -188,7 +192,7 @@ create_auth_tkt_serv_config(apr_pool_t *p, server_rec* s) + sconf->digest_type = NULL; + sconf->digest_sz = 0; + return sconf; +-} ++} + + /* Merge per-server config structures */ + static void * +@@ -203,7 +207,7 @@ merge_auth_tkt_serv_config(apr_pool_t *p, void* parent_dirv, void* subdirv) + sconf->digest_type = (subdir->digest_type) ? subdir->digest_type : parent->digest_type; + sconf->digest_sz = (subdir->digest_sz) ? subdir->digest_sz : parent->digest_sz; + return sconf; +-} ++} + + /* ----------------------------------------------------------------------- */ + /* Command-specific functions */ +@@ -243,8 +247,8 @@ convert_to_seconds (cmd_parms *cmd, const char *param, int *seconds) + multiplier = 30 * 24 * 60 * 60; + else if (unit == 'y') + multiplier = 365 * 24 * 60 * 60; +- else +- return apr_psprintf(cmd->pool, ++ else ++ return apr_psprintf(cmd->pool, + "Bad time string - unrecognised unit '%c'", unit); + } + +@@ -256,7 +260,7 @@ convert_to_seconds (cmd_parms *cmd, const char *param, int *seconds) + static const char * + set_auth_tkt_token (cmd_parms *cmd, void *cfg, const char *param) + { +- char **new; ++ char **new; + auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *) cfg; + + new = (char **) apr_array_push(conf->auth_token); +@@ -270,12 +274,12 @@ set_auth_tkt_timeout (cmd_parms *cmd, void *cfg, const char *param) + auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg; + int seconds = conf->timeout_sec; + const char *error; +- ++ + /* Easy case - looks like all digits */ + if (apr_isdigit(param[0]) && apr_isdigit(param[strlen(param) - 1])) { + seconds = atoi(param); + } +- ++ + /* Harder case - convert units to seconds */ + else { + error = convert_to_seconds(cmd, param, &seconds); +@@ -286,7 +290,7 @@ set_auth_tkt_timeout (cmd_parms *cmd, void *cfg, const char *param) + if (seconds == INT_MAX) return ("Integer overflow or invalid number"); + + conf->timeout_sec = seconds; +- ++ + return NULL; + } + +@@ -294,14 +298,14 @@ static const char * + set_auth_tkt_timeout_min (cmd_parms *cmd, void *cfg, const char *param) + { + auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg; +- ++ + int minutes = atoi(param); +- ++ + if (minutes < 0) return ("Timeout must be positive"); + if (minutes == INT_MAX) return ("Integer overflow or invalid number"); +- ++ + conf->timeout_sec = minutes * 60; +- ++ + return NULL; + } + +@@ -309,21 +313,21 @@ static const char * + set_auth_tkt_timeout_refresh (cmd_parms *cmd, void *cfg, const char *param) + { + auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg; +- ++ + double refresh = atof(param); + +- if (refresh < 0 || refresh > 1) ++ if (refresh < 0 || refresh > 1) + return "Refresh flag must be between 0 and 1"; +- ++ + conf->timeout_refresh = refresh; +- ++ + return NULL; + } + + static const char * + setup_secret (cmd_parms *cmd, void *cfg, const char *param) + { +- auth_tkt_serv_conf *sconf = ++ auth_tkt_serv_conf *sconf = + ap_get_module_config(cmd->server->module_config, &auth_tkt_module); + sconf->secret = param; + return NULL; +@@ -332,12 +336,22 @@ setup_secret (cmd_parms *cmd, void *cfg, const char *param) + static const char * + setup_old_secret (cmd_parms *cmd, void *cfg, const char *param) + { +- auth_tkt_serv_conf *sconf = ap_get_module_config(cmd->server->module_config, ++ auth_tkt_serv_conf *sconf = ap_get_module_config(cmd->server->module_config, + &auth_tkt_module); + sconf->old_secret = param; + return NULL; + } + ++static const char * ++setup_query_separator (cmd_parms *cmd, void *cfg, const char *param) ++{ ++ if (strcmp(param, ";") != 0 && strcmp(param, "&") != 0) ++ return "QuerySeparator must be either ';' or '&'."; ++ auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg; ++ conf->query_separator = param; ++ return NULL; ++} ++ + void + setup_digest_sz (auth_tkt_serv_conf *sconf) + { +@@ -355,10 +369,10 @@ setup_digest_sz (auth_tkt_serv_conf *sconf) + static const char * + setup_digest_type (cmd_parms *cmd, void *cfg, const char *param) + { +- auth_tkt_serv_conf *sconf = ++ auth_tkt_serv_conf *sconf = + ap_get_module_config(cmd->server->module_config, &auth_tkt_module); + +- if (strcmp(param, "MD5") != 0 && ++ if (strcmp(param, "MD5") != 0 && + strcmp(param, "SHA256") != 0 && + strcmp(param, "SHA512") != 0) + return "Digest type must be one of: MD5 | SHA256 | SHA512."; +@@ -391,7 +405,7 @@ set_cookie_expires (cmd_parms *cmd, void *cfg, const char *param) + if (seconds == INT_MAX) return ("Integer overflow or invalid number"); + + conf->cookie_expires = seconds; +- ++ + return NULL; + } + +@@ -399,90 +413,93 @@ static const char * + set_auth_tkt_debug (cmd_parms *cmd, void *cfg, const char *param) + { + auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg; +- ++ + int debug = atoi(param); +- ++ + if (debug < 0) return ("Debug level must be positive"); + if (debug == INT_MAX) return ("Integer overflow or invalid number"); +- ++ + conf->debug = debug; +- ++ + return NULL; + } + + /* Command table */ + static const command_rec auth_tkt_cmds[] = + { +- AP_INIT_TAKE1("TKTAuthLoginURL", ap_set_string_slot, ++ AP_INIT_TAKE1("TKTAuthLoginURL", ap_set_string_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, login_url), + OR_AUTHCFG, "URL to redirect to if authentication fails"), +- AP_INIT_TAKE1("TKTAuthTimeoutURL", ap_set_string_slot, ++ AP_INIT_TAKE1("TKTAuthTimeoutURL", ap_set_string_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, timeout_url), + OR_AUTHCFG, "URL to redirect to if cookie times-out"), +- AP_INIT_TAKE1("TKTAuthPostTimeoutURL", ap_set_string_slot, ++ AP_INIT_TAKE1("TKTAuthPostTimeoutURL", ap_set_string_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, post_timeout_url), + OR_AUTHCFG, "URL to redirect to if cookie times-out doing a POST"), +- AP_INIT_TAKE1("TKTAuthUnauthURL", ap_set_string_slot, ++ AP_INIT_TAKE1("TKTAuthUnauthURL", ap_set_string_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, unauth_url), + OR_AUTHCFG, "URL to redirect to if valid user without required token"), +- AP_INIT_TAKE1("TKTAuthCookieName", ap_set_string_slot, ++ AP_INIT_TAKE1("TKTAuthCookieName", ap_set_string_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, auth_cookie_name), + OR_AUTHCFG, "name to use for ticket cookie"), +- AP_INIT_TAKE1("TKTAuthDomain", ap_set_string_slot, ++ AP_INIT_TAKE1("TKTAuthDomain", ap_set_string_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, auth_domain), + OR_AUTHCFG, "domain to use in cookies"), + #ifndef APACHE13 + /* TKTAuthCookieExpires is not supported under Apache 1.3 */ +- AP_INIT_ITERATE("TKTAuthCookieExpires", set_cookie_expires, ++ AP_INIT_ITERATE("TKTAuthCookieExpires", set_cookie_expires, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, cookie_expires), + OR_AUTHCFG, "cookie expiry period, in seconds or units [smhdwMy]"), + #endif +- AP_INIT_TAKE1("TKTAuthBackCookieName", ap_set_string_slot, ++ AP_INIT_TAKE1("TKTAuthBackCookieName", ap_set_string_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, back_cookie_name), +- OR_AUTHCFG, "name to use for back cookie (NULL for none)"), +- AP_INIT_TAKE1("TKTAuthBackArgName", ap_set_string_slot, ++ OR_AUTHCFG, "name to use for back cookie (default: none)"), ++ AP_INIT_TAKE1("TKTAuthBackArgName", ap_set_string_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, back_arg_name), +- OR_AUTHCFG, "name to use for back url argument (NULL for none)"), +- AP_INIT_FLAG("TKTAuthIgnoreIP", ap_set_flag_slot, ++ OR_AUTHCFG, "name to use for back url argument ('None' to not use)"), ++ AP_INIT_FLAG("TKTAuthIgnoreIP", ap_set_flag_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, ignore_ip), + OR_AUTHCFG, "whether to ignore remote IP address in ticket"), +- AP_INIT_FLAG("TKTAuthRequireSSL", ap_set_flag_slot, ++ AP_INIT_FLAG("TKTAuthRequireSSL", ap_set_flag_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, require_ssl), + OR_AUTHCFG, "whether to refuse non-HTTPS requests"), +- AP_INIT_FLAG("TKTAuthCookieSecure", ap_set_flag_slot, ++ AP_INIT_FLAG("TKTAuthCookieSecure", ap_set_flag_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, secure_cookie), + OR_AUTHCFG, "whether to set secure flag on ticket cookies"), +- AP_INIT_ITERATE("TKTAuthToken", set_auth_tkt_token, ++ AP_INIT_ITERATE("TKTAuthToken", set_auth_tkt_token, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, auth_token), + OR_AUTHCFG, "token required to access this area (NULL for none)"), +- AP_INIT_ITERATE("TKTAuthTimeout", set_auth_tkt_timeout, ++ AP_INIT_ITERATE("TKTAuthTimeout", set_auth_tkt_timeout, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, timeout_sec), + OR_AUTHCFG, "ticket inactivity timeout, in seconds or units [smhdwMy]"), +- AP_INIT_TAKE1("TKTAuthTimeoutMin", set_auth_tkt_timeout_min, ++ AP_INIT_TAKE1("TKTAuthTimeoutMin", set_auth_tkt_timeout_min, + NULL, OR_AUTHCFG, "ticket inactivity timeout, in minutes (deprecated)"), +- AP_INIT_TAKE1("TKTAuthTimeoutRefresh", set_auth_tkt_timeout_refresh, ++ AP_INIT_TAKE1("TKTAuthTimeoutRefresh", set_auth_tkt_timeout_refresh, + NULL, OR_AUTHCFG, "ticket timeout refresh flag (0-1)"), +- AP_INIT_TAKE1("TKTAuthSecret", setup_secret, ++ AP_INIT_TAKE1("TKTAuthSecret", setup_secret, + NULL, RSRC_CONF, "secret key to use in digest"), +- AP_INIT_TAKE1("TKTAuthSecretOld", setup_old_secret, ++ AP_INIT_TAKE1("TKTAuthSecretOld", setup_old_secret, + NULL, RSRC_CONF, "old/alternative secret key to check in digests"), +- AP_INIT_TAKE1("TKTAuthDigestType", setup_digest_type, +- NULL, RSRC_CONF, "digest type to use [MD5|SHA256|SHA512], default MD5"), ++ AP_INIT_TAKE1("TKTAuthDigestType", setup_digest_type, ++ NULL, RSRC_CONF, "digest type to use [MD5|SHA256|SHA512], default: MD5"), + AP_INIT_FLAG("TKTAuthGuestLogin", ap_set_flag_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_login), + OR_AUTHCFG, "whether to log people in as guest if no other auth available"), + AP_INIT_FLAG("TKTAuthGuestCookie", ap_set_flag_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_cookie), +- OR_AUTHCFG, "whether to set a cookie when accepting guest users (default off)"), +- AP_INIT_TAKE1("TKTAuthGuestUser", ap_set_string_slot, ++ OR_AUTHCFG, "whether to set a cookie when accepting guest users (default: off)"), ++ AP_INIT_TAKE1("TKTAuthGuestUser", ap_set_string_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_user), + OR_AUTHCFG, "username to use for guest logins"), + AP_INIT_FLAG("TKTAuthGuestFallback", ap_set_flag_slot, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_fallback), +- OR_AUTHCFG, "whether to fall back to guest on an expired ticket (default off)"), +- AP_INIT_ITERATE("TKTAuthDebug", set_auth_tkt_debug, ++ OR_AUTHCFG, "whether to fall back to guest on an expired ticket (default: off)"), ++ AP_INIT_ITERATE("TKTAuthDebug", set_auth_tkt_debug, + (void *)APR_OFFSETOF(auth_tkt_dir_conf, debug), + OR_AUTHCFG, "debug level (1-3, higher for more debug output)"), ++ AP_INIT_TAKE1("TKTAuthQuerySeparator", setup_query_separator, ++ (void *)APR_OFFSETOF(auth_tkt_dir_conf, query_separator), ++ OR_AUTHCFG, "Character used in query strings to separate arguments (default: ';')"), + {NULL}, + }; + +@@ -490,28 +507,28 @@ static const command_rec auth_tkt_cmds[] = + /* Support functions */ + + /* Parse cookie. Returns 1 if valid, and details in *parsed; 0 if not */ +-static int ++static int + parse_ticket(request_rec *r, char **magic, auth_tkt *parsed) + { + int sepidx, sep2idx; + char *ticket = *magic; + int len = strlen(ticket); +- auth_tkt_serv_conf *sconf = ++ auth_tkt_serv_conf *sconf = + ap_get_module_config(r->server->module_config, &auth_tkt_module); +- auth_tkt_dir_conf *conf = ++ auth_tkt_dir_conf *conf = + ap_get_module_config(r->per_dir_config, &auth_tkt_module); +- ++ + /* For some reason (some clients?), tickets sometimes come in quoted */ + if (ticket[len-1] == '"') ticket[len-1] = 0; + if (ticket[0] == '"') *magic = ++ticket; + + /* Basic length check for min size */ + if (len <= (sconf->digest_sz + TSTAMP_SZ)) +- return 0; +- ++ return 0; ++ + /* See if there is a uid/data separator */ + sepidx = ap_ind(ticket, SEPARATOR); +- if (sepidx == -1) { ++ if (sepidx == -1) { + /* Ticket either uri-escaped, base64-escaped, or bogus */ + if (strstr(ticket, SEPARATOR_HEX)) { + ap_unescape_url(ticket); +@@ -519,7 +536,7 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed) + } + else { + /* base64 encoded string always longer than original, so len+1 sufficient */ +- char *buf = (char *) apr_palloc(r->pool, len+1); ++ char *buf = (char *) apr_palloc(r->pool, len+1); + apr_base64_decode(buf, ticket); + sepidx = ap_ind(buf, SEPARATOR); + /* If still no sepidx, must be bogus */ +@@ -532,26 +549,26 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed) + } + + /* Recheck length */ +- if (len <= (sconf->digest_sz + TSTAMP_SZ) || +- sepidx < (sconf->digest_sz + TSTAMP_SZ)) +- return 0; ++ if (len <= (sconf->digest_sz + TSTAMP_SZ) || ++ sepidx < (sconf->digest_sz + TSTAMP_SZ)) ++ return 0; + + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT parse_ticket decoded ticket: '%s'", ticket); + } +- ++ + /* Get the user id */ + parsed->uid = apr_palloc(r->pool, sepidx - (sconf->digest_sz + TSTAMP_SZ) + 1); +- memcpy(parsed->uid, &ticket[(sconf->digest_sz + TSTAMP_SZ)], ++ memcpy(parsed->uid, &ticket[(sconf->digest_sz + TSTAMP_SZ)], + sepidx - (sconf->digest_sz + TSTAMP_SZ)); + parsed->uid[sepidx - (sconf->digest_sz + TSTAMP_SZ)] = '\0'; +- ++ + /* Check for tokens */ + sep2idx = ap_ind(&ticket[sepidx+1], SEPARATOR); + if (sep2idx == -1) { + if (conf->debug >= 2) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT parse_ticket: no tokens"); + } + parsed->tokens = apr_palloc(r->pool, 1); +@@ -563,15 +580,15 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed) + sepidx = tmp + sep2idx + 1; + sep2idx = tmp; + if (conf->debug >= 2) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, +- "TKT parse_ticket: tokens found - sep2=%d, sep=%d, len=%d", +- sep2idx, sepidx, len); ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ "TKT parse_ticket: tokens found - sep2=%d, sep=%d, len=%d", ++ sep2idx, sepidx, len); + } + /* Copy tokens to parsed->tokens */ + parsed->tokens = apr_palloc(r->pool, sepidx-sep2idx); + apr_snprintf(parsed->tokens, sepidx-sep2idx, "%s", &ticket[sep2idx+1]); + if (conf->debug >= 2) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT parse_ticket tokens: '%s'", parsed->tokens); + } + } +@@ -579,25 +596,25 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed) + /* Copy user data to parsed->user_data */ + parsed->user_data = apr_palloc(r->pool, len-sepidx+1); + apr_snprintf(parsed->user_data, len-sepidx+1, "%s", &ticket[sepidx+1]); +- ++ + /* Copy timestamp to parsed->timestamp */ + sscanf(&ticket[sconf->digest_sz], "%8x", &(parsed->timestamp)); +- ++ + return 1; + } + + /* Search cookie headers for our ticket */ +-static int ++static int + cookie_match(void *result, const char *key, const char *cookie) + { + cookie_res * cr = (cookie_res *) result; +- auth_tkt_dir_conf *conf = ++ auth_tkt_dir_conf *conf = + ap_get_module_config(cr->r->per_dir_config, &auth_tkt_module); +- ++ + if (cookie != NULL) { + char *cookie_name, *value, *cookiebuf, *end; + if (conf->debug >= 2) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r, + "TKT cookie_match, key %s against <%s> (name=%s)", + key, cookie, cr->cookie_name); + } +@@ -623,7 +640,7 @@ cookie_match(void *result, const char *key, const char *cookie) + if (strlen(cookiebuf)) { + cr->cookie = cookiebuf; + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r, + "TKT cookie_match: found '%s'", cookiebuf); + } + return(0); +@@ -631,7 +648,7 @@ cookie_match(void *result, const char *key, const char *cookie) + } + } + if (conf->debug >= 2) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r, + "TKT cookie_match: NOT found"); + } + return (1); +@@ -639,7 +656,7 @@ cookie_match(void *result, const char *key, const char *cookie) + + /* Return the domain to use in cookies */ + char * +-get_domain(request_rec *r, auth_tkt_dir_conf *conf) ++get_domain(request_rec *r, auth_tkt_dir_conf *conf) + { + /* Set the cookie domain to the first set of TKTAuthDomain, + X-Forwarded-Host, Host, or server hostname. Viljo Viitanen +@@ -665,7 +682,7 @@ get_domain(request_rec *r, auth_tkt_dir_conf *conf) + static void + send_auth_cookie(request_rec *r, char *value) + { +- auth_tkt_dir_conf *conf = ++ auth_tkt_dir_conf *conf = + ap_get_module_config(r->per_dir_config, &auth_tkt_module); + char *cookie, *expires; + char *domain = get_domain(r,conf); +@@ -679,12 +696,12 @@ send_auth_cookie(request_rec *r, char *value) + #ifndef APACHE13 + if (conf->cookie_expires > 0) { + apr_time_exp_t tms; +- apr_time_exp_gmt(&tms, r->request_time + ++ apr_time_exp_gmt(&tms, r->request_time + + apr_time_from_sec(conf->cookie_expires)); +- expires = ++ expires = + apr_psprintf(r->pool, "; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT", + apr_day_snames[tms.tm_wday], +- tms.tm_mday, ++ tms.tm_mday, + apr_month_snames[tms.tm_mon], + tms.tm_year % 100, + tms.tm_hour, tms.tm_min, tms.tm_sec +@@ -693,12 +710,12 @@ send_auth_cookie(request_rec *r, char *value) + #endif + + /* Send the cookie */ +- cookie = apr_psprintf(r->pool, "%s=%s; path=/%s%s%s", ++ cookie = apr_psprintf(r->pool, "%s=%s; path=/%s%s%s", + conf->auth_cookie_name, value, domain, expires, secure_cookie); + apr_table_setn(r->err_headers_out, "Set-Cookie", cookie); + + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT: sending cookie: %s=%s; path=/%s%s%s", + conf->auth_cookie_name, value, domain, expires, secure_cookie); + } +@@ -708,7 +725,7 @@ send_auth_cookie(request_rec *r, char *value) + static char * + get_url_ticket(request_rec *r) + { +- auth_tkt_dir_conf *conf = ++ auth_tkt_dir_conf *conf = + ap_get_module_config(r->per_dir_config, &auth_tkt_module); + const char *args = NULL; /* url arguments string */ + const char *key, *val; +@@ -717,12 +734,12 @@ get_url_ticket(request_rec *r) + /* Use main request args if subrequest */ + request_rec *r_main = r->main == NULL ? r : r->main; + if (r_main->args != NULL) { +- args = apr_pstrdup(r->pool, r_main->args); ++ args = apr_pstrdup(r->pool, r_main->args); + } + + if (args != NULL) { + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT: looking for ticket in url: <%s>", args); + } + +@@ -731,12 +748,12 @@ get_url_ticket(request_rec *r) + + if (strcmp(key,conf->auth_cookie_name) == 0) { + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT: found url ticket: <%s>", val); + } + + /* Setup auth cookie using ticket value */ +- send_auth_cookie(r, (char *) val); ++ send_auth_cookie(r, (char *) val); + + /* Found ticket - ignore rest of arguments */ + ticket = (char *) val; +@@ -749,12 +766,12 @@ get_url_ticket(request_rec *r) + } + + /* Look for a cookie ticket */ +-static char * ++static char * + get_cookie_ticket(request_rec *r) + { +- auth_tkt_serv_conf *sconf = ++ auth_tkt_serv_conf *sconf = + ap_get_module_config(r->server->module_config, &auth_tkt_module); +- auth_tkt_dir_conf *conf = ++ auth_tkt_dir_conf *conf = + ap_get_module_config(r->per_dir_config, &auth_tkt_module); + + /* Walk cookie headers looking for matching ticket */ +@@ -770,7 +787,7 @@ get_cookie_ticket(request_rec *r) + } + if (strlen(cr->cookie) < sconf->digest_sz + TSTAMP_SZ) { + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT get_cookie_tkt: found cookie ticket, " + "but it's too short for a %s digest (%zu < %d)", + sconf->digest_type, strlen(cr->cookie), sconf->digest_sz + TSTAMP_SZ); +@@ -782,18 +799,18 @@ get_cookie_ticket(request_rec *r) + } + + /* Generate a ticket digest string from the given details */ +-static char * ++static char * + ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const char *secret) + { +- auth_tkt_serv_conf *sconf = ++ auth_tkt_serv_conf *sconf = + ap_get_module_config(r->server->module_config, &auth_tkt_module); +- auth_tkt_dir_conf *conf = ++ auth_tkt_dir_conf *conf = + ap_get_module_config(r->per_dir_config, &auth_tkt_module); + char *uid = parsed->uid; + char *tokens = parsed->tokens; + char *user_data = parsed->user_data; + +- unsigned char *buf = apr_palloc(r->pool, ++ unsigned char *buf = apr_palloc(r->pool, + TSTAMP_SZ + strlen(secret) + strlen(uid) + 1 + strlen(tokens) + 1 + strlen(user_data) + 1); + unsigned char *buf2 = apr_palloc(r->pool, sconf->digest_sz + strlen(secret)); + int len = 0; +@@ -812,7 +829,7 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch + if (timestamp == 0) timestamp = parsed->timestamp; + + if (conf->debug >= 2) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT ticket_digest: using secret '%s', ip '%s', ts '%d'", secret, remote_ip, timestamp); + } + +@@ -824,13 +841,13 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch + buf[0] = (unsigned char ) ((ip & 0xff000000) >> 24); + buf[1] = (unsigned char ) ((ip & 0xff0000) >> 16); + buf[2] = (unsigned char ) ((ip & 0xff00) >> 8); +- buf[3] = (unsigned char ) ((ip & 0xff)); +- buf[4] = (unsigned char ) ((timestamp & 0xff000000) >> 24); +- buf[5] = (unsigned char ) ((timestamp & 0xff0000) >> 16); +- buf[6] = (unsigned char ) ((timestamp & 0xff00) >> 8); +- buf[7] = (unsigned char ) ((timestamp & 0xff)); ++ buf[3] = (unsigned char ) ((ip & 0xff)); ++ buf[4] = (unsigned char ) ((timestamp & 0xff000000) >> 24); ++ buf[5] = (unsigned char ) ((timestamp & 0xff0000) >> 16); ++ buf[6] = (unsigned char ) ((timestamp & 0xff00) >> 8); ++ buf[7] = (unsigned char ) ((timestamp & 0xff)); + len = 8; +- ++ + /* Append remaining components to buf */ + strcpy((char *)&buf[len], secret); + len += strlen(secret); +@@ -857,7 +874,7 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch + digest = ap_md5_binary(r->pool, buf, len); + } + if (conf->debug >= 3) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT ticket_digest: digest0: '%s' (input length %d)", digest, len); + } + +@@ -879,7 +896,7 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch + digest = ap_md5_binary(r->pool, buf2, len); + } + if (conf->debug >= 3) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT ticket_digest: digest: '%s'", digest); + } + +@@ -897,21 +914,21 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed, + char *digest; + auth_tkt_serv_conf *sconf = + ap_get_module_config(r->server->module_config, &auth_tkt_module); +- auth_tkt_dir_conf *conf = ++ auth_tkt_dir_conf *conf = + ap_get_module_config(r->per_dir_config, &auth_tkt_module); + + /* Attempt to parse ticket */ + if (! parse_ticket(r, &ticket, parsed)) { + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r, + "TKT valid_ticket: unparseable %s ticket found ('%s')", source, ticket); + } + return 0; + } + + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, +- "TKT valid_ticket: (parsed) uid '%s', tokens '%s', user_data '%s', ts '%d'", ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ "TKT valid_ticket: (parsed) uid '%s', tokens '%s', user_data '%s', ts '%d'", + parsed->uid, parsed->tokens, parsed->user_data, parsed->timestamp); + } + +@@ -921,9 +938,9 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed, + + /* Digest mismatch - if no old secret set, fail */ + if(sconf->old_secret == NULL) { +- ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r, + "TKT valid_ticket: ticket hash (current secret) is invalid, and no old secret set " +- "- digest '%s', ticket '%s'", ++ "- digest '%s', ticket '%s'", + digest, ticket); + return 0; + } +@@ -931,13 +948,13 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed, + /* Digest mismatch - if old_secret is set, recalculate using that */ + else { + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT valid_ticket: ticket hash (current secret) is invalid, but old_secret is set - checking ticket digest against that"); + } + digest = ticket_digest(r, parsed, 0, sconf->old_secret); + if (memcmp(ticket, digest, sconf->digest_sz) != 0) { +- ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r, +- "TKT valid_ticket: ticket hash (old secret) is also invalid - digest '%s', ticket '%s'", ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r, ++ "TKT valid_ticket: ticket hash (old secret) is also invalid - digest '%s', ticket '%s'", + digest, ticket); + return 0; + } +@@ -946,7 +963,7 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed, + else { + if (force_refresh != NULL) { + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT valid_ticket: ticket_digest validated with old_secret - forcing a cookie refresh"); + } + *force_refresh = 1; +@@ -958,31 +975,31 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed, + return 1; + } + +-/* Check for required auth tokens ++/* Check for required auth tokens + * Returns 1 on success, 0 on failure */ + static int + check_tokens(request_rec *r, char *tokens) + { +- auth_tkt_dir_conf *conf = ++ auth_tkt_dir_conf *conf = + ap_get_module_config(r->per_dir_config, &auth_tkt_module); + char *next_parsed_token; + const char *t = NULL; +- int match = 0; ++ int match = 0; + + /* Success if no tokens required */ +- if (conf->auth_token->nelts == 0 || ++ if (conf->auth_token->nelts == 0 || + strcmp(((char **) conf->auth_token->elts)[0], "NULL") == 0) { + return 1; + } + /* Failure if required and no user tokens found */ + if (tokens == NULL || strlen(tokens) == 0) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT: no matching tokens! (no user tokens found)"); + return 0; + } + +- t = apr_pstrdup(r->pool, tokens); +- ++ t = apr_pstrdup(r->pool, tokens); ++ + while (*t && (next_parsed_token = ap_getword(r->pool, &t, ','))) { + char ** auth_tokens = (char **) conf->auth_token->elts; + int i; +@@ -990,16 +1007,16 @@ check_tokens(request_rec *r, char *tokens) + for (i=0; i < conf->auth_token->nelts; i++) { + int token_len = strlen(auth_tokens[i]); + if (strncmp(auth_tokens[i], next_parsed_token, token_len) == 0 && +- next_parsed_token[token_len] == 0) { +- match = 1; +- break; ++ next_parsed_token[token_len] == 0) { ++ match = 1; ++ break; + } + } + if (match) break; + } + + if (conf->debug >= 1 && ! match) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT: no matching tokens! (user tokens '%s')", tokens); + } + +@@ -1010,24 +1027,24 @@ check_tokens(request_rec *r, char *tokens) + static void + refresh_cookie(request_rec *r, auth_tkt *parsed, int timeout, int force_flag) + { +- auth_tkt_serv_conf *sconf = ++ auth_tkt_serv_conf *sconf = + ap_get_module_config(r->server->module_config, &auth_tkt_module); +- auth_tkt_dir_conf *conf = ++ auth_tkt_dir_conf *conf = + ap_get_module_config(r->per_dir_config, &auth_tkt_module); + + /* The timeout refresh is a double between 0 and 1, signifying what +- * proportion of the timeout should be left before we refresh i.e. ++ * proportion of the timeout should be left before we refresh i.e. + * 0 means never refresh (hard timeouts); 1 means always refresh; +- * .33 means only refresh if less than a third of the timeout +- * period remains. */ ++ * .33 means only refresh if less than a third of the timeout ++ * period remains. */ + unsigned int now = time(NULL); + int remainder = parsed->timestamp + timeout - now; + double refresh_sec = conf->timeout_refresh * timeout; + + if (conf->debug >= 1) { +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, + "TKT refresh_cookie: timeout %d, refresh %.3f, remainder %d, refresh_sec %.3f, force_flag %d", +- timeout, conf->timeout_refresh, remainder, refresh_sec, force_flag); ++ timeout, conf->timeout_refresh, remainder, refresh_sec, force_flag); + } + + /* If less than our refresh_sec threshold, freshen the cookie */ +@@ -1036,29 +1053,29 @@ refresh_cookie(request_rec *r, auth_tkt *parsed, int timeout, int force_flag) + char *digest = ticket_digest(r, parsed, now, sconf->secret); + if (parsed->tokens) { + ticket = apr_psprintf(r->pool, +- "%s%08x%s%c%s%c%s", +- digest, now, parsed->uid, +- SEPARATOR, parsed->tokens, +- SEPARATOR, parsed->user_data); ++ "%s%08x%s%c%s%c%s", ++ digest, now, parsed->uid, ++ SEPARATOR, parsed->tokens, ++ SEPARATOR, parsed->user_data); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***