aboutsummaryrefslogtreecommitdiffstats
path: root/www
diff options
context:
space:
mode:
authorkuriyama <kuriyama@FreeBSD.org>2012-10-25 23:15:52 +0800
committerkuriyama <kuriyama@FreeBSD.org>2012-10-25 23:15:52 +0800
commit8c826c467a018652c13c4ac66da171108a9faac8 (patch)
tree81912323953189d99b0a3740bab1d3aecd8c359f /www
parentc17ff48806d3a2dd957e7f3e47908136f4a63c2d (diff)
downloadfreebsd-ports-gnome-8c826c467a018652c13c4ac66da171108a9faac8.tar.gz
freebsd-ports-gnome-8c826c467a018652c13c4ac66da171108a9faac8.tar.zst
freebsd-ports-gnome-8c826c467a018652c13c4ac66da171108a9faac8.zip
- Add option to use TKTAuthQuerySeparator directive.
Obtained from: https://github.com/gavincarr/mod_auth_tkt Feature safe: yes
Diffstat (limited to 'www')
-rw-r--r--www/mod_auth_tkt/Makefile13
-rw-r--r--www/mod_auth_tkt/files/extra-patch-query-separator1454
2 files changed, 1467 insertions, 0 deletions
diff --git a/www/mod_auth_tkt/Makefile b/www/mod_auth_tkt/Makefile
index 5f3f9c6a9e62..76a4f0c6808c 100644
--- a/www/mod_auth_tkt/Makefile
+++ b/www/mod_auth_tkt/Makefile
@@ -3,6 +3,7 @@
PORTNAME= mod_auth_tkt
PORTVERSION= 2.1.0
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_LOCAL} \
http://www.openfusion.com.au/labs/dist/mod_auth_tkt/
@@ -13,12 +14,24 @@ COMMENT= Lightweight single-sign-on authentication module for apache
USE_APACHE= 22
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}/src
+PATCH_WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
+PATCH_STRIP= -p1
AP_FAST_BUILD= yes
SRC_FILE= ${PORTNAME}.c sha2.c
AP_EXTRAS= -DAPACHE22
MAN3= mod_auth_tkt.3
+OPTIONS_DEFINE= QUERY_SEP
+QUERY_SEP_DESC= Experimental TKTAuthQuerySeparator directive
+OPTIONS_DEFAULT=QUERY_SEP
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MQUERY_SEP}
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-query-separator
+.endif
+
post-patch:
${REINPLACE_CMD} -e 's|.usr/share/man|${PREFIX}/man|' ${WRKSRC}/../Makedefs
diff --git a/www/mod_auth_tkt/files/extra-patch-query-separator b/www/mod_auth_tkt/files/extra-patch-query-separator
new file mode 100644
index 000000000000..edd60975a6c9
--- /dev/null
+++ b/www/mod_auth_tkt/files/extra-patch-query-separator
@@ -0,0 +1,1454 @@
+diff --git a/cgi/logout.cgi b/cgi/logout.cgi
+index b2a830c..41fa7e1 100755
+--- a/cgi/logout.cgi
++++ b/cgi/logout.cgi
+@@ -33,16 +33,19 @@ $back ||= $q->cookie($at->back_cookie_name) if $at->back_cookie_name;
+ $back ||= $q->param($at->back_arg_name) if $at->back_arg_name;
+ $back = $AuthTktConfig::DEFAULT_BACK_LOCATION if $AuthTktConfig::DEFAULT_BACK_LOCATION;
+ $back ||= $ENV{HTTP_REFERER} if $ENV{HTTP_REFERER} && $AuthTktConfig::BACK_REFERER;
+-if ($back && $back =~ m!^/!) {
+- my $hostname = $server_name;
+- my $port = $server_port;
+- $hostname .= ':' . $port if $port && $port != 80 && $port != 443;
+- $back = sprintf "http%s://%s%s", ($port == 443 ? 's' : ''), $hostname, $back;
+-} elsif ($back && $back !~ m/^http/i) {
+- $back = 'http://' . $back;
++my $back_html = '';
++if ($back) {
++ if ($back =~ m!^/!) {
++ my $hostname = $server_name;
++ my $port = $server_port;
++ $hostname .= ':' . $port if $port && $port != 80 && $port != 443;
++ $back = sprintf "http%s://%s%s", ($port == 443 ? 's' : ''), $hostname, $back;
++ } elsif ($back !~ m/^http/i) {
++ $back = 'http://' . $back;
++ }
++ $back = uri_unescape($back) if $back =~ m/^https?%3A%2F%2F/;
++ $back_html = escapeHTML($back);
+ }
+-$back = uri_unescape($back) if $back =~ m/^https?%3A%2F%2F/;
+-my $back_html = escapeHTML($back) if $back;
+
+ # Logout by resetting the auth cookie
+ my @cookies = cookie(-name => $at->cookie_name, -value => '', -expires => '-1h',
+diff --git a/conf/auth_tkt_cgi.conf b/conf/auth_tkt_cgi.conf
+index e2546bc..e969c44 100644
+--- a/conf/auth_tkt_cgi.conf
++++ b/conf/auth_tkt_cgi.conf
+@@ -13,6 +13,9 @@
+ # Digest type to use - default is MD5, alternatives are SHA256 or SHA512
+ #TKTAuthDigestType MD5
+
++# Query separator for generated URLs. Defaults to semi-colon (';')
++#TKTAuthQuerySeparator &
++
+ # Used by sample CGI scripts to locate this config file
+ SetEnv MOD_AUTH_TKT_CONF "/etc/httpd/conf.d/auth_tkt_cgi.conf"
+
+diff --git a/doc/mod_auth_tkt.pod b/doc/mod_auth_tkt.pod
+index dd7d85c..edf0590 100644
+--- a/doc/mod_auth_tkt.pod
++++ b/doc/mod_auth_tkt.pod
+@@ -227,7 +227,9 @@ the ticket hashing, so you should always set a TKTAuthTimeout in
+ addition to using an expiry. Cookie expiries are refreshed with
+ tickets if TKTAuthTimeoutRefresh is set.
+
+-Default: none. Examples:
++Default: none (not used).
++
++e.g.
+
+ TKTAuthCookieExpires 86400
+ TKTAuthCookieExpires 1w
+@@ -245,6 +247,11 @@ http://www.example.com/index.html and TKTAuthBackArgName is set to
+
+ to the TKTAuthLoginURL it redirects to, allowing your login script
+ to redirect back to the requested page upon successful login.
++
++To omit altogether, set to the string B<None> i.e.
++
++ TKTAuthBackArgName None
++
+ Default: 'back'.
+
+ =item TKTAuthBackCookieName <name>
+@@ -252,7 +259,9 @@ Default: 'back'.
+ The cookie name to use for the back cookie. If this is set,
+ mod_auth_tkt will set a back cookie containing a URI-escaped version
+ of current requested page when redirecting (see TKTAuthBackArgName
+-above). Default: none.
++above), instead of using a GET parameter.
++
++Default: none (not used).
+
+ =item TKTAuthToken <token>
+
+@@ -267,7 +276,9 @@ Note that this directive can be repeated, and the semantics are that
+ B<any> of the required tokens is sufficient for access i.e. the tokens
+ are ORed.
+
+-Default: none. e.g.
++Default: none (not used).
++
++e.g.
+
+ TKTAuthToken finance
+ TKTAuthToken admin
+@@ -281,8 +292,12 @@ this as well, setting the client IP address to 0.0.0.0). This is
+ often required out on the open internet, especially if you are
+ using an HTTPS login page (as you should) and are dealing with
+ more than a handful of users (the typical problem being
+-transparent HTTP proxies at ISPs). Default: 'off' i.e. ticket
+-is only valid from the originating IP address. e.g.
++transparent HTTP proxies at ISPs).
++
++Default: 'off' i.e. ticket is only valid from the originating
++IP address.
++
++e.g.
+
+ TKTAuthIgnoreIP on
+
+diff --git a/src/mod_auth_tkt.c b/src/mod_auth_tkt.c
+index c2609e9..74bb669 100644
+--- a/src/mod_auth_tkt.c
++++ b/src/mod_auth_tkt.c
+@@ -38,6 +38,7 @@
+ #define REMOTE_USER_TOKENS_ENV "REMOTE_USER_TOKENS"
+ #define DEFAULT_TIMEOUT_SEC 7200
+ #define DEFAULT_GUEST_USER "guest"
++#define QUERY_SEPARATOR ';'
+
+ #define FORCE_REFRESH 1
+ #define CHECK_REFRESH 0
+@@ -68,6 +69,7 @@ typedef struct {
+ char *guest_user;
+ int guest_fallback;
+ int debug;
++ const char *query_separator;
+ } auth_tkt_dir_conf;
+
+ /* Per-server configuration */
+@@ -99,24 +101,24 @@ void
+ auth_tkt_version(server_rec *s, pool *p)
+ {
+ ap_add_version_component("mod_auth_tkt/" TKT_AUTH_VERSION);
+- ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
++ ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
+ "mod_auth_tkt: version %s", TKT_AUTH_VERSION);
+ }
+
+ #else
+ static int
+-auth_tkt_version(apr_pool_t *p,
++auth_tkt_version(apr_pool_t *p,
+ apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
+ {
+ ap_add_version_component(p, "mod_auth_tkt/" TKT_AUTH_VERSION);
+- ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
++ ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
+ "mod_auth_tkt: version %s", TKT_AUTH_VERSION);
+ return DECLINED;
+ }
+ #endif
+
+ /* Create per-dir config structures */
+-static void *
++static void *
+ create_auth_tkt_config(apr_pool_t *p, char* path)
+ {
+ auth_tkt_dir_conf *conf = apr_palloc(p, sizeof(*conf));
+@@ -142,11 +144,12 @@ create_auth_tkt_config(apr_pool_t *p, char* path)
+ conf->guest_user = NULL;
+ conf->guest_fallback = -1;
+ conf->debug = -1;
+- return conf;
++ conf->query_separator = (char *)QUERY_SEPARATOR;
++ return conf;
+ }
+
+ /* Merge per-dir config structures */
+-static void *
++static void *
+ merge_auth_tkt_config(apr_pool_t *p, void* parent_dirv, void* subdirv)
+ {
+ auth_tkt_dir_conf *parent = (auth_tkt_dir_conf *) parent_dirv;
+@@ -174,6 +177,7 @@ merge_auth_tkt_config(apr_pool_t *p, void* parent_dirv, void* subdirv)
+ conf->guest_user = (subdir->guest_user) ? subdir->guest_user : parent->guest_user;
+ conf->guest_fallback = (subdir->guest_fallback >= 0) ? subdir->guest_fallback : parent->guest_fallback;
+ conf->debug = (subdir->debug >= 0) ? subdir->debug : parent->debug;
++ conf->query_separator = (subdir->query_separator) ? subdir->query_separator : parent->query_separator;
+
+ return conf;
+ }
+@@ -188,7 +192,7 @@ create_auth_tkt_serv_config(apr_pool_t *p, server_rec* s)
+ sconf->digest_type = NULL;
+ sconf->digest_sz = 0;
+ return sconf;
+-}
++}
+
+ /* Merge per-server config structures */
+ static void *
+@@ -203,7 +207,7 @@ merge_auth_tkt_serv_config(apr_pool_t *p, void* parent_dirv, void* subdirv)
+ sconf->digest_type = (subdir->digest_type) ? subdir->digest_type : parent->digest_type;
+ sconf->digest_sz = (subdir->digest_sz) ? subdir->digest_sz : parent->digest_sz;
+ return sconf;
+-}
++}
+
+ /* ----------------------------------------------------------------------- */
+ /* Command-specific functions */
+@@ -243,8 +247,8 @@ convert_to_seconds (cmd_parms *cmd, const char *param, int *seconds)
+ multiplier = 30 * 24 * 60 * 60;
+ else if (unit == 'y')
+ multiplier = 365 * 24 * 60 * 60;
+- else
+- return apr_psprintf(cmd->pool,
++ else
++ return apr_psprintf(cmd->pool,
+ "Bad time string - unrecognised unit '%c'", unit);
+ }
+
+@@ -256,7 +260,7 @@ convert_to_seconds (cmd_parms *cmd, const char *param, int *seconds)
+ static const char *
+ set_auth_tkt_token (cmd_parms *cmd, void *cfg, const char *param)
+ {
+- char **new;
++ char **new;
+ auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *) cfg;
+
+ new = (char **) apr_array_push(conf->auth_token);
+@@ -270,12 +274,12 @@ set_auth_tkt_timeout (cmd_parms *cmd, void *cfg, const char *param)
+ auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
+ int seconds = conf->timeout_sec;
+ const char *error;
+-
++
+ /* Easy case - looks like all digits */
+ if (apr_isdigit(param[0]) && apr_isdigit(param[strlen(param) - 1])) {
+ seconds = atoi(param);
+ }
+-
++
+ /* Harder case - convert units to seconds */
+ else {
+ error = convert_to_seconds(cmd, param, &seconds);
+@@ -286,7 +290,7 @@ set_auth_tkt_timeout (cmd_parms *cmd, void *cfg, const char *param)
+ if (seconds == INT_MAX) return ("Integer overflow or invalid number");
+
+ conf->timeout_sec = seconds;
+-
++
+ return NULL;
+ }
+
+@@ -294,14 +298,14 @@ static const char *
+ set_auth_tkt_timeout_min (cmd_parms *cmd, void *cfg, const char *param)
+ {
+ auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
+-
++
+ int minutes = atoi(param);
+-
++
+ if (minutes < 0) return ("Timeout must be positive");
+ if (minutes == INT_MAX) return ("Integer overflow or invalid number");
+-
++
+ conf->timeout_sec = minutes * 60;
+-
++
+ return NULL;
+ }
+
+@@ -309,21 +313,21 @@ static const char *
+ set_auth_tkt_timeout_refresh (cmd_parms *cmd, void *cfg, const char *param)
+ {
+ auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
+-
++
+ double refresh = atof(param);
+
+- if (refresh < 0 || refresh > 1)
++ if (refresh < 0 || refresh > 1)
+ return "Refresh flag must be between 0 and 1";
+-
++
+ conf->timeout_refresh = refresh;
+-
++
+ return NULL;
+ }
+
+ static const char *
+ setup_secret (cmd_parms *cmd, void *cfg, const char *param)
+ {
+- auth_tkt_serv_conf *sconf =
++ auth_tkt_serv_conf *sconf =
+ ap_get_module_config(cmd->server->module_config, &auth_tkt_module);
+ sconf->secret = param;
+ return NULL;
+@@ -332,12 +336,22 @@ setup_secret (cmd_parms *cmd, void *cfg, const char *param)
+ static const char *
+ setup_old_secret (cmd_parms *cmd, void *cfg, const char *param)
+ {
+- auth_tkt_serv_conf *sconf = ap_get_module_config(cmd->server->module_config,
++ auth_tkt_serv_conf *sconf = ap_get_module_config(cmd->server->module_config,
+ &auth_tkt_module);
+ sconf->old_secret = param;
+ return NULL;
+ }
+
++static const char *
++setup_query_separator (cmd_parms *cmd, void *cfg, const char *param)
++{
++ if (strcmp(param, ";") != 0 && strcmp(param, "&") != 0)
++ return "QuerySeparator must be either ';' or '&'.";
++ auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
++ conf->query_separator = param;
++ return NULL;
++}
++
+ void
+ setup_digest_sz (auth_tkt_serv_conf *sconf)
+ {
+@@ -355,10 +369,10 @@ setup_digest_sz (auth_tkt_serv_conf *sconf)
+ static const char *
+ setup_digest_type (cmd_parms *cmd, void *cfg, const char *param)
+ {
+- auth_tkt_serv_conf *sconf =
++ auth_tkt_serv_conf *sconf =
+ ap_get_module_config(cmd->server->module_config, &auth_tkt_module);
+
+- if (strcmp(param, "MD5") != 0 &&
++ if (strcmp(param, "MD5") != 0 &&
+ strcmp(param, "SHA256") != 0 &&
+ strcmp(param, "SHA512") != 0)
+ return "Digest type must be one of: MD5 | SHA256 | SHA512.";
+@@ -391,7 +405,7 @@ set_cookie_expires (cmd_parms *cmd, void *cfg, const char *param)
+ if (seconds == INT_MAX) return ("Integer overflow or invalid number");
+
+ conf->cookie_expires = seconds;
+-
++
+ return NULL;
+ }
+
+@@ -399,90 +413,93 @@ static const char *
+ set_auth_tkt_debug (cmd_parms *cmd, void *cfg, const char *param)
+ {
+ auth_tkt_dir_conf *conf = (auth_tkt_dir_conf *)cfg;
+-
++
+ int debug = atoi(param);
+-
++
+ if (debug < 0) return ("Debug level must be positive");
+ if (debug == INT_MAX) return ("Integer overflow or invalid number");
+-
++
+ conf->debug = debug;
+-
++
+ return NULL;
+ }
+
+ /* Command table */
+ static const command_rec auth_tkt_cmds[] =
+ {
+- AP_INIT_TAKE1("TKTAuthLoginURL", ap_set_string_slot,
++ AP_INIT_TAKE1("TKTAuthLoginURL", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, login_url),
+ OR_AUTHCFG, "URL to redirect to if authentication fails"),
+- AP_INIT_TAKE1("TKTAuthTimeoutURL", ap_set_string_slot,
++ AP_INIT_TAKE1("TKTAuthTimeoutURL", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, timeout_url),
+ OR_AUTHCFG, "URL to redirect to if cookie times-out"),
+- AP_INIT_TAKE1("TKTAuthPostTimeoutURL", ap_set_string_slot,
++ AP_INIT_TAKE1("TKTAuthPostTimeoutURL", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, post_timeout_url),
+ OR_AUTHCFG, "URL to redirect to if cookie times-out doing a POST"),
+- AP_INIT_TAKE1("TKTAuthUnauthURL", ap_set_string_slot,
++ AP_INIT_TAKE1("TKTAuthUnauthURL", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, unauth_url),
+ OR_AUTHCFG, "URL to redirect to if valid user without required token"),
+- AP_INIT_TAKE1("TKTAuthCookieName", ap_set_string_slot,
++ AP_INIT_TAKE1("TKTAuthCookieName", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, auth_cookie_name),
+ OR_AUTHCFG, "name to use for ticket cookie"),
+- AP_INIT_TAKE1("TKTAuthDomain", ap_set_string_slot,
++ AP_INIT_TAKE1("TKTAuthDomain", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, auth_domain),
+ OR_AUTHCFG, "domain to use in cookies"),
+ #ifndef APACHE13
+ /* TKTAuthCookieExpires is not supported under Apache 1.3 */
+- AP_INIT_ITERATE("TKTAuthCookieExpires", set_cookie_expires,
++ AP_INIT_ITERATE("TKTAuthCookieExpires", set_cookie_expires,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, cookie_expires),
+ OR_AUTHCFG, "cookie expiry period, in seconds or units [smhdwMy]"),
+ #endif
+- AP_INIT_TAKE1("TKTAuthBackCookieName", ap_set_string_slot,
++ AP_INIT_TAKE1("TKTAuthBackCookieName", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, back_cookie_name),
+- OR_AUTHCFG, "name to use for back cookie (NULL for none)"),
+- AP_INIT_TAKE1("TKTAuthBackArgName", ap_set_string_slot,
++ OR_AUTHCFG, "name to use for back cookie (default: none)"),
++ AP_INIT_TAKE1("TKTAuthBackArgName", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, back_arg_name),
+- OR_AUTHCFG, "name to use for back url argument (NULL for none)"),
+- AP_INIT_FLAG("TKTAuthIgnoreIP", ap_set_flag_slot,
++ OR_AUTHCFG, "name to use for back url argument ('None' to not use)"),
++ AP_INIT_FLAG("TKTAuthIgnoreIP", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, ignore_ip),
+ OR_AUTHCFG, "whether to ignore remote IP address in ticket"),
+- AP_INIT_FLAG("TKTAuthRequireSSL", ap_set_flag_slot,
++ AP_INIT_FLAG("TKTAuthRequireSSL", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, require_ssl),
+ OR_AUTHCFG, "whether to refuse non-HTTPS requests"),
+- AP_INIT_FLAG("TKTAuthCookieSecure", ap_set_flag_slot,
++ AP_INIT_FLAG("TKTAuthCookieSecure", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, secure_cookie),
+ OR_AUTHCFG, "whether to set secure flag on ticket cookies"),
+- AP_INIT_ITERATE("TKTAuthToken", set_auth_tkt_token,
++ AP_INIT_ITERATE("TKTAuthToken", set_auth_tkt_token,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, auth_token),
+ OR_AUTHCFG, "token required to access this area (NULL for none)"),
+- AP_INIT_ITERATE("TKTAuthTimeout", set_auth_tkt_timeout,
++ AP_INIT_ITERATE("TKTAuthTimeout", set_auth_tkt_timeout,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, timeout_sec),
+ OR_AUTHCFG, "ticket inactivity timeout, in seconds or units [smhdwMy]"),
+- AP_INIT_TAKE1("TKTAuthTimeoutMin", set_auth_tkt_timeout_min,
++ AP_INIT_TAKE1("TKTAuthTimeoutMin", set_auth_tkt_timeout_min,
+ NULL, OR_AUTHCFG, "ticket inactivity timeout, in minutes (deprecated)"),
+- AP_INIT_TAKE1("TKTAuthTimeoutRefresh", set_auth_tkt_timeout_refresh,
++ AP_INIT_TAKE1("TKTAuthTimeoutRefresh", set_auth_tkt_timeout_refresh,
+ NULL, OR_AUTHCFG, "ticket timeout refresh flag (0-1)"),
+- AP_INIT_TAKE1("TKTAuthSecret", setup_secret,
++ AP_INIT_TAKE1("TKTAuthSecret", setup_secret,
+ NULL, RSRC_CONF, "secret key to use in digest"),
+- AP_INIT_TAKE1("TKTAuthSecretOld", setup_old_secret,
++ AP_INIT_TAKE1("TKTAuthSecretOld", setup_old_secret,
+ NULL, RSRC_CONF, "old/alternative secret key to check in digests"),
+- AP_INIT_TAKE1("TKTAuthDigestType", setup_digest_type,
+- NULL, RSRC_CONF, "digest type to use [MD5|SHA256|SHA512], default MD5"),
++ AP_INIT_TAKE1("TKTAuthDigestType", setup_digest_type,
++ NULL, RSRC_CONF, "digest type to use [MD5|SHA256|SHA512], default: MD5"),
+ AP_INIT_FLAG("TKTAuthGuestLogin", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_login),
+ OR_AUTHCFG, "whether to log people in as guest if no other auth available"),
+ AP_INIT_FLAG("TKTAuthGuestCookie", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_cookie),
+- OR_AUTHCFG, "whether to set a cookie when accepting guest users (default off)"),
+- AP_INIT_TAKE1("TKTAuthGuestUser", ap_set_string_slot,
++ OR_AUTHCFG, "whether to set a cookie when accepting guest users (default: off)"),
++ AP_INIT_TAKE1("TKTAuthGuestUser", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_user),
+ OR_AUTHCFG, "username to use for guest logins"),
+ AP_INIT_FLAG("TKTAuthGuestFallback", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_fallback),
+- OR_AUTHCFG, "whether to fall back to guest on an expired ticket (default off)"),
+- AP_INIT_ITERATE("TKTAuthDebug", set_auth_tkt_debug,
++ OR_AUTHCFG, "whether to fall back to guest on an expired ticket (default: off)"),
++ AP_INIT_ITERATE("TKTAuthDebug", set_auth_tkt_debug,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, debug),
+ OR_AUTHCFG, "debug level (1-3, higher for more debug output)"),
++ AP_INIT_TAKE1("TKTAuthQuerySeparator", setup_query_separator,
++ (void *)APR_OFFSETOF(auth_tkt_dir_conf, query_separator),
++ OR_AUTHCFG, "Character used in query strings to separate arguments (default: ';')"),
+ {NULL},
+ };
+
+@@ -490,28 +507,28 @@ static const command_rec auth_tkt_cmds[] =
+ /* Support functions */
+
+ /* Parse cookie. Returns 1 if valid, and details in *parsed; 0 if not */
+-static int
++static int
+ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+ {
+ int sepidx, sep2idx;
+ char *ticket = *magic;
+ int len = strlen(ticket);
+- auth_tkt_serv_conf *sconf =
++ auth_tkt_serv_conf *sconf =
+ ap_get_module_config(r->server->module_config, &auth_tkt_module);
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+-
++
+ /* For some reason (some clients?), tickets sometimes come in quoted */
+ if (ticket[len-1] == '"') ticket[len-1] = 0;
+ if (ticket[0] == '"') *magic = ++ticket;
+
+ /* Basic length check for min size */
+ if (len <= (sconf->digest_sz + TSTAMP_SZ))
+- return 0;
+-
++ return 0;
++
+ /* See if there is a uid/data separator */
+ sepidx = ap_ind(ticket, SEPARATOR);
+- if (sepidx == -1) {
++ if (sepidx == -1) {
+ /* Ticket either uri-escaped, base64-escaped, or bogus */
+ if (strstr(ticket, SEPARATOR_HEX)) {
+ ap_unescape_url(ticket);
+@@ -519,7 +536,7 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+ }
+ else {
+ /* base64 encoded string always longer than original, so len+1 sufficient */
+- char *buf = (char *) apr_palloc(r->pool, len+1);
++ char *buf = (char *) apr_palloc(r->pool, len+1);
+ apr_base64_decode(buf, ticket);
+ sepidx = ap_ind(buf, SEPARATOR);
+ /* If still no sepidx, must be bogus */
+@@ -532,26 +549,26 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+ }
+
+ /* Recheck length */
+- if (len <= (sconf->digest_sz + TSTAMP_SZ) ||
+- sepidx < (sconf->digest_sz + TSTAMP_SZ))
+- return 0;
++ if (len <= (sconf->digest_sz + TSTAMP_SZ) ||
++ sepidx < (sconf->digest_sz + TSTAMP_SZ))
++ return 0;
+
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT parse_ticket decoded ticket: '%s'", ticket);
+ }
+-
++
+ /* Get the user id */
+ parsed->uid = apr_palloc(r->pool, sepidx - (sconf->digest_sz + TSTAMP_SZ) + 1);
+- memcpy(parsed->uid, &ticket[(sconf->digest_sz + TSTAMP_SZ)],
++ memcpy(parsed->uid, &ticket[(sconf->digest_sz + TSTAMP_SZ)],
+ sepidx - (sconf->digest_sz + TSTAMP_SZ));
+ parsed->uid[sepidx - (sconf->digest_sz + TSTAMP_SZ)] = '\0';
+-
++
+ /* Check for tokens */
+ sep2idx = ap_ind(&ticket[sepidx+1], SEPARATOR);
+ if (sep2idx == -1) {
+ if (conf->debug >= 2) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT parse_ticket: no tokens");
+ }
+ parsed->tokens = apr_palloc(r->pool, 1);
+@@ -563,15 +580,15 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+ sepidx = tmp + sep2idx + 1;
+ sep2idx = tmp;
+ if (conf->debug >= 2) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+- "TKT parse_ticket: tokens found - sep2=%d, sep=%d, len=%d",
+- sep2idx, sepidx, len);
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ "TKT parse_ticket: tokens found - sep2=%d, sep=%d, len=%d",
++ sep2idx, sepidx, len);
+ }
+ /* Copy tokens to parsed->tokens */
+ parsed->tokens = apr_palloc(r->pool, sepidx-sep2idx);
+ apr_snprintf(parsed->tokens, sepidx-sep2idx, "%s", &ticket[sep2idx+1]);
+ if (conf->debug >= 2) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT parse_ticket tokens: '%s'", parsed->tokens);
+ }
+ }
+@@ -579,25 +596,25 @@ parse_ticket(request_rec *r, char **magic, auth_tkt *parsed)
+ /* Copy user data to parsed->user_data */
+ parsed->user_data = apr_palloc(r->pool, len-sepidx+1);
+ apr_snprintf(parsed->user_data, len-sepidx+1, "%s", &ticket[sepidx+1]);
+-
++
+ /* Copy timestamp to parsed->timestamp */
+ sscanf(&ticket[sconf->digest_sz], "%8x", &(parsed->timestamp));
+-
++
+ return 1;
+ }
+
+ /* Search cookie headers for our ticket */
+-static int
++static int
+ cookie_match(void *result, const char *key, const char *cookie)
+ {
+ cookie_res * cr = (cookie_res *) result;
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(cr->r->per_dir_config, &auth_tkt_module);
+-
++
+ if (cookie != NULL) {
+ char *cookie_name, *value, *cookiebuf, *end;
+ if (conf->debug >= 2) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r,
+ "TKT cookie_match, key %s against <%s> (name=%s)",
+ key, cookie, cr->cookie_name);
+ }
+@@ -623,7 +640,7 @@ cookie_match(void *result, const char *key, const char *cookie)
+ if (strlen(cookiebuf)) {
+ cr->cookie = cookiebuf;
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r,
+ "TKT cookie_match: found '%s'", cookiebuf);
+ }
+ return(0);
+@@ -631,7 +648,7 @@ cookie_match(void *result, const char *key, const char *cookie)
+ }
+ }
+ if (conf->debug >= 2) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, cr->r,
+ "TKT cookie_match: NOT found");
+ }
+ return (1);
+@@ -639,7 +656,7 @@ cookie_match(void *result, const char *key, const char *cookie)
+
+ /* Return the domain to use in cookies */
+ char *
+-get_domain(request_rec *r, auth_tkt_dir_conf *conf)
++get_domain(request_rec *r, auth_tkt_dir_conf *conf)
+ {
+ /* Set the cookie domain to the first set of TKTAuthDomain,
+ X-Forwarded-Host, Host, or server hostname. Viljo Viitanen
+@@ -665,7 +682,7 @@ get_domain(request_rec *r, auth_tkt_dir_conf *conf)
+ static void
+ send_auth_cookie(request_rec *r, char *value)
+ {
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+ char *cookie, *expires;
+ char *domain = get_domain(r,conf);
+@@ -679,12 +696,12 @@ send_auth_cookie(request_rec *r, char *value)
+ #ifndef APACHE13
+ if (conf->cookie_expires > 0) {
+ apr_time_exp_t tms;
+- apr_time_exp_gmt(&tms, r->request_time +
++ apr_time_exp_gmt(&tms, r->request_time +
+ apr_time_from_sec(conf->cookie_expires));
+- expires =
++ expires =
+ apr_psprintf(r->pool, "; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT",
+ apr_day_snames[tms.tm_wday],
+- tms.tm_mday,
++ tms.tm_mday,
+ apr_month_snames[tms.tm_mon],
+ tms.tm_year % 100,
+ tms.tm_hour, tms.tm_min, tms.tm_sec
+@@ -693,12 +710,12 @@ send_auth_cookie(request_rec *r, char *value)
+ #endif
+
+ /* Send the cookie */
+- cookie = apr_psprintf(r->pool, "%s=%s; path=/%s%s%s",
++ cookie = apr_psprintf(r->pool, "%s=%s; path=/%s%s%s",
+ conf->auth_cookie_name, value, domain, expires, secure_cookie);
+ apr_table_setn(r->err_headers_out, "Set-Cookie", cookie);
+
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT: sending cookie: %s=%s; path=/%s%s%s",
+ conf->auth_cookie_name, value, domain, expires, secure_cookie);
+ }
+@@ -708,7 +725,7 @@ send_auth_cookie(request_rec *r, char *value)
+ static char *
+ get_url_ticket(request_rec *r)
+ {
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+ const char *args = NULL; /* url arguments string */
+ const char *key, *val;
+@@ -717,12 +734,12 @@ get_url_ticket(request_rec *r)
+ /* Use main request args if subrequest */
+ request_rec *r_main = r->main == NULL ? r : r->main;
+ if (r_main->args != NULL) {
+- args = apr_pstrdup(r->pool, r_main->args);
++ args = apr_pstrdup(r->pool, r_main->args);
+ }
+
+ if (args != NULL) {
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT: looking for ticket in url: <%s>", args);
+ }
+
+@@ -731,12 +748,12 @@ get_url_ticket(request_rec *r)
+
+ if (strcmp(key,conf->auth_cookie_name) == 0) {
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT: found url ticket: <%s>", val);
+ }
+
+ /* Setup auth cookie using ticket value */
+- send_auth_cookie(r, (char *) val);
++ send_auth_cookie(r, (char *) val);
+
+ /* Found ticket - ignore rest of arguments */
+ ticket = (char *) val;
+@@ -749,12 +766,12 @@ get_url_ticket(request_rec *r)
+ }
+
+ /* Look for a cookie ticket */
+-static char *
++static char *
+ get_cookie_ticket(request_rec *r)
+ {
+- auth_tkt_serv_conf *sconf =
++ auth_tkt_serv_conf *sconf =
+ ap_get_module_config(r->server->module_config, &auth_tkt_module);
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+
+ /* Walk cookie headers looking for matching ticket */
+@@ -770,7 +787,7 @@ get_cookie_ticket(request_rec *r)
+ }
+ if (strlen(cr->cookie) < sconf->digest_sz + TSTAMP_SZ) {
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT get_cookie_tkt: found cookie ticket, "
+ "but it's too short for a %s digest (%zu < %d)",
+ sconf->digest_type, strlen(cr->cookie), sconf->digest_sz + TSTAMP_SZ);
+@@ -782,18 +799,18 @@ get_cookie_ticket(request_rec *r)
+ }
+
+ /* Generate a ticket digest string from the given details */
+-static char *
++static char *
+ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const char *secret)
+ {
+- auth_tkt_serv_conf *sconf =
++ auth_tkt_serv_conf *sconf =
+ ap_get_module_config(r->server->module_config, &auth_tkt_module);
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+ char *uid = parsed->uid;
+ char *tokens = parsed->tokens;
+ char *user_data = parsed->user_data;
+
+- unsigned char *buf = apr_palloc(r->pool,
++ unsigned char *buf = apr_palloc(r->pool,
+ TSTAMP_SZ + strlen(secret) + strlen(uid) + 1 + strlen(tokens) + 1 + strlen(user_data) + 1);
+ unsigned char *buf2 = apr_palloc(r->pool, sconf->digest_sz + strlen(secret));
+ int len = 0;
+@@ -812,7 +829,7 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch
+ if (timestamp == 0) timestamp = parsed->timestamp;
+
+ if (conf->debug >= 2) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT ticket_digest: using secret '%s', ip '%s', ts '%d'", secret, remote_ip, timestamp);
+ }
+
+@@ -824,13 +841,13 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch
+ buf[0] = (unsigned char ) ((ip & 0xff000000) >> 24);
+ buf[1] = (unsigned char ) ((ip & 0xff0000) >> 16);
+ buf[2] = (unsigned char ) ((ip & 0xff00) >> 8);
+- buf[3] = (unsigned char ) ((ip & 0xff));
+- buf[4] = (unsigned char ) ((timestamp & 0xff000000) >> 24);
+- buf[5] = (unsigned char ) ((timestamp & 0xff0000) >> 16);
+- buf[6] = (unsigned char ) ((timestamp & 0xff00) >> 8);
+- buf[7] = (unsigned char ) ((timestamp & 0xff));
++ buf[3] = (unsigned char ) ((ip & 0xff));
++ buf[4] = (unsigned char ) ((timestamp & 0xff000000) >> 24);
++ buf[5] = (unsigned char ) ((timestamp & 0xff0000) >> 16);
++ buf[6] = (unsigned char ) ((timestamp & 0xff00) >> 8);
++ buf[7] = (unsigned char ) ((timestamp & 0xff));
+ len = 8;
+-
++
+ /* Append remaining components to buf */
+ strcpy((char *)&buf[len], secret);
+ len += strlen(secret);
+@@ -857,7 +874,7 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch
+ digest = ap_md5_binary(r->pool, buf, len);
+ }
+ if (conf->debug >= 3) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT ticket_digest: digest0: '%s' (input length %d)", digest, len);
+ }
+
+@@ -879,7 +896,7 @@ ticket_digest(request_rec *r, auth_tkt *parsed, unsigned int timestamp, const ch
+ digest = ap_md5_binary(r->pool, buf2, len);
+ }
+ if (conf->debug >= 3) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT ticket_digest: digest: '%s'", digest);
+ }
+
+@@ -897,21 +914,21 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+ char *digest;
+ auth_tkt_serv_conf *sconf =
+ ap_get_module_config(r->server->module_config, &auth_tkt_module);
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+
+ /* Attempt to parse ticket */
+ if (! parse_ticket(r, &ticket, parsed)) {
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
+ "TKT valid_ticket: unparseable %s ticket found ('%s')", source, ticket);
+ }
+ return 0;
+ }
+
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+- "TKT valid_ticket: (parsed) uid '%s', tokens '%s', user_data '%s', ts '%d'",
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ "TKT valid_ticket: (parsed) uid '%s', tokens '%s', user_data '%s', ts '%d'",
+ parsed->uid, parsed->tokens, parsed->user_data, parsed->timestamp);
+ }
+
+@@ -921,9 +938,9 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+
+ /* Digest mismatch - if no old secret set, fail */
+ if(sconf->old_secret == NULL) {
+- ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
+ "TKT valid_ticket: ticket hash (current secret) is invalid, and no old secret set "
+- "- digest '%s', ticket '%s'",
++ "- digest '%s', ticket '%s'",
+ digest, ticket);
+ return 0;
+ }
+@@ -931,13 +948,13 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+ /* Digest mismatch - if old_secret is set, recalculate using that */
+ else {
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT valid_ticket: ticket hash (current secret) is invalid, but old_secret is set - checking ticket digest against that");
+ }
+ digest = ticket_digest(r, parsed, 0, sconf->old_secret);
+ if (memcmp(ticket, digest, sconf->digest_sz) != 0) {
+- ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
+- "TKT valid_ticket: ticket hash (old secret) is also invalid - digest '%s', ticket '%s'",
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
++ "TKT valid_ticket: ticket hash (old secret) is also invalid - digest '%s', ticket '%s'",
+ digest, ticket);
+ return 0;
+ }
+@@ -946,7 +963,7 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+ else {
+ if (force_refresh != NULL) {
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT valid_ticket: ticket_digest validated with old_secret - forcing a cookie refresh");
+ }
+ *force_refresh = 1;
+@@ -958,31 +975,31 @@ valid_ticket(request_rec *r, const char *source, char *ticket, auth_tkt *parsed,
+ return 1;
+ }
+
+-/* Check for required auth tokens
++/* Check for required auth tokens
+ * Returns 1 on success, 0 on failure */
+ static int
+ check_tokens(request_rec *r, char *tokens)
+ {
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+ char *next_parsed_token;
+ const char *t = NULL;
+- int match = 0;
++ int match = 0;
+
+ /* Success if no tokens required */
+- if (conf->auth_token->nelts == 0 ||
++ if (conf->auth_token->nelts == 0 ||
+ strcmp(((char **) conf->auth_token->elts)[0], "NULL") == 0) {
+ return 1;
+ }
+ /* Failure if required and no user tokens found */
+ if (tokens == NULL || strlen(tokens) == 0) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT: no matching tokens! (no user tokens found)");
+ return 0;
+ }
+
+- t = apr_pstrdup(r->pool, tokens);
+-
++ t = apr_pstrdup(r->pool, tokens);
++
+ while (*t && (next_parsed_token = ap_getword(r->pool, &t, ','))) {
+ char ** auth_tokens = (char **) conf->auth_token->elts;
+ int i;
+@@ -990,16 +1007,16 @@ check_tokens(request_rec *r, char *tokens)
+ for (i=0; i < conf->auth_token->nelts; i++) {
+ int token_len = strlen(auth_tokens[i]);
+ if (strncmp(auth_tokens[i], next_parsed_token, token_len) == 0 &&
+- next_parsed_token[token_len] == 0) {
+- match = 1;
+- break;
++ next_parsed_token[token_len] == 0) {
++ match = 1;
++ break;
+ }
+ }
+ if (match) break;
+ }
+
+ if (conf->debug >= 1 && ! match) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT: no matching tokens! (user tokens '%s')", tokens);
+ }
+
+@@ -1010,24 +1027,24 @@ check_tokens(request_rec *r, char *tokens)
+ static void
+ refresh_cookie(request_rec *r, auth_tkt *parsed, int timeout, int force_flag)
+ {
+- auth_tkt_serv_conf *sconf =
++ auth_tkt_serv_conf *sconf =
+ ap_get_module_config(r->server->module_config, &auth_tkt_module);
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+
+ /* The timeout refresh is a double between 0 and 1, signifying what
+- * proportion of the timeout should be left before we refresh i.e.
++ * proportion of the timeout should be left before we refresh i.e.
+ * 0 means never refresh (hard timeouts); 1 means always refresh;
+- * .33 means only refresh if less than a third of the timeout
+- * period remains. */
++ * .33 means only refresh if less than a third of the timeout
++ * period remains. */
+ unsigned int now = time(NULL);
+ int remainder = parsed->timestamp + timeout - now;
+ double refresh_sec = conf->timeout_refresh * timeout;
+
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT refresh_cookie: timeout %d, refresh %.3f, remainder %d, refresh_sec %.3f, force_flag %d",
+- timeout, conf->timeout_refresh, remainder, refresh_sec, force_flag);
++ timeout, conf->timeout_refresh, remainder, refresh_sec, force_flag);
+ }
+
+ /* If less than our refresh_sec threshold, freshen the cookie */
+@@ -1036,29 +1053,29 @@ refresh_cookie(request_rec *r, auth_tkt *parsed, int timeout, int force_flag)
+ char *digest = ticket_digest(r, parsed, now, sconf->secret);
+ if (parsed->tokens) {
+ ticket = apr_psprintf(r->pool,
+- "%s%08x%s%c%s%c%s",
+- digest, now, parsed->uid,
+- SEPARATOR, parsed->tokens,
+- SEPARATOR, parsed->user_data);
++ "%s%08x%s%c%s%c%s",
++ digest, now, parsed->uid,
++ SEPARATOR, parsed->tokens,
++ SEPARATOR, parsed->user_data);
+ }
+ else {
+ ticket = apr_psprintf(r->pool,
+- "%s%08x%s%c%s",
++ "%s%08x%s%c%s",
+ digest, now, parsed->uid, SEPARATOR, parsed->user_data);
+ }
+ ticket_base64 = ap_pbase64encode(r->pool, ticket);
+
+- send_auth_cookie(r, ticket_base64);
++ send_auth_cookie(r, ticket_base64);
+ }
+ }
+-
+-/* Check whether the given timestamp has timed out
++
++/* Check whether the given timestamp has timed out
+ * Returns 1 if okay, 0 if timed out */
+ static int
+ check_timeout(request_rec *r, auth_tkt *parsed)
+ {
+ char *timeout_date, *timeout_cookie;
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+ unsigned int now = time(NULL);
+ unsigned int timestamp = parsed->timestamp;
+@@ -1073,24 +1090,24 @@ check_timeout(request_rec *r, auth_tkt *parsed)
+ /* Check whether timestamp is still fresh */
+ if (timestamp + timeout >= now) {
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+- "TKT: cookie timeout still good: now %d, timeout: %d, tstamp: %d",
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ "TKT: cookie timeout still good: now %d, timeout: %d, tstamp: %d",
+ now, timeout, timestamp);
+ }
+
+ /* Check whether to refresh the cookie */
+- if (conf->timeout_refresh > 0)
++ if (conf->timeout_refresh > 0)
+ refresh_cookie(r, parsed, timeout, CHECK_REFRESH);
+
+ return 1;
+ }
+
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+- "TKT: ticket timed out: now %d, timeout: %d, tstamp: %d",
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ "TKT: ticket timed out: now %d, timeout: %d, tstamp: %d",
+ now, timeout, timestamp);
+ }
+-
++
+ /* Delete cookie (set expired) if invalid, in case we want to set from url */
+ timeout_date = ap_ht_time(r->pool, now - 3600, "%a %d %b %Y %T %Z", 0);
+ timeout_cookie = domain ?
+@@ -1106,7 +1123,7 @@ check_timeout(request_rec *r, auth_tkt *parsed)
+ }
+
+ /* Strip specified query args from a url */
+-static char *
++static char *
+ query_strip(request_rec *r, const char *strip)
+ {
+ const char *args = NULL; /* url arguments string */
+@@ -1116,10 +1133,10 @@ query_strip(request_rec *r, const char *strip)
+
+ /* Use main request args if subrequest */
+ request_rec *r_main = r->main == NULL ? r : r->main;
+- if (r_main->args == NULL || strip == NULL)
++ if (r_main->args == NULL || strip == NULL)
+ return NULL;
+
+- args = apr_pstrdup(r->pool, r_main->args);
++ args = apr_pstrdup(r->pool, r_main->args);
+
+ /* Convert all '&' to ';' */
+ while ((p = ap_strchr(args, '&')))
+@@ -1130,7 +1147,7 @@ query_strip(request_rec *r, const char *strip)
+ key = ap_getword(r->pool, &val, '=');
+
+ /* Add to new_args only if key != strip */
+- if (strlen(strip) != strlen(key) || strncmp(key,strip,strlen(strip)) != 0)
++ if (strlen(strip) != strlen(key) || strncmp(key,strip,strlen(strip)) != 0)
+ new_args = apr_psprintf(r->pool, "%s&%s=%s", new_args, key, val);
+ }
+
+@@ -1155,14 +1172,14 @@ c2x(unsigned what, unsigned char *where)
+ }
+
+ /* Extra escaping - variant of httpd util.c ap_escape_path_segment */
+-static char *
++static char *
+ escape_extras(apr_pool_t *p, const char *segment)
+ {
+ char *copy = apr_palloc(p, 3 * strlen(segment) + 1);
+ const unsigned char *s = (const unsigned char *)segment;
+ unsigned char *d = (unsigned char *)copy;
+ unsigned c;
+-
++
+ while ((c = *s)) {
+ if (c == '=' || c == '&' || c == ':') {
+ d = c2x(c, d);
+@@ -1177,16 +1194,17 @@ escape_extras(apr_pool_t *p, const char *segment)
+ }
+
+ /* External redirect to the given url, setting back cookie or arg */
+-static int
++static int
+ redirect(request_rec *r, char *location)
+ {
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+
+ char *domain = get_domain(r,conf);
+ char *back_cookie_name = conf->back_cookie_name;
+ char *back_arg_name = conf->back_arg_name;
+- char *url, *cookie, *back;
++ char *url = location;
++ char *cookie, *back;
+ const char *hostinfo = 0;
+ int port;
+
+@@ -1209,10 +1227,10 @@ redirect(request_rec *r, char *location)
+ if (! hostinfo) hostinfo = apr_table_get(r->headers_in, "Host");
+ if (! hostinfo) {
+ /* Fallback to using r->hostname and the server port. This usually
+- works, but behind a reverse proxy the port may well be wrong.
++ works, but behind a reverse proxy the port may well be wrong.
+ On the other hand, it's really the proxy's problem, not ours.
+ */
+- ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
+ "TKT: could not find Host header, falling back to hostname/server port");
+ port = ap_get_server_port(r);
+ hostinfo = port == apr_uri_default_port_for_scheme(scheme) ?
+@@ -1222,22 +1240,22 @@ redirect(request_rec *r, char *location)
+
+ /* If no scheme, assume location is relative and expand using scheme and hostinfo */
+ if (strncasecmp(location, "http", 4) != 0) {
+- char *old_location = apr_pstrdup(r->pool, location);
++ char *old_location = apr_pstrdup(r->pool, location);
+ location = apr_psprintf(r->pool, "%s://%s/%s", scheme, hostinfo, location);
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT relative URL '%s' expanded to '%s'", old_location, location);
+ }
+ }
+
+ /* Setup back URL */
+- back = apr_psprintf(r->pool, "%s://%s%s%s",
++ back = apr_psprintf(r->pool, "%s://%s%s%s",
+ scheme, hostinfo, r->uri, query);
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT: back url '%s'", back);
+ }
+-
++
+ /* Escape testing */
+ back = ap_escape_path_segment(r->pool, back);
+ back = escape_extras(r->pool, back);
+@@ -1245,9 +1263,9 @@ redirect(request_rec *r, char *location)
+ /* Set back cookie if name is not null */
+ if (back_cookie_name) {
+ cookie = domain ?
+- apr_psprintf(r->pool, "%s=%s; path=/; domain=%s",
++ apr_psprintf(r->pool, "%s=%s; path=/; domain=%s",
+ back_cookie_name, back, domain) :
+- apr_psprintf(r->pool, "%s=%s; path=/",
++ apr_psprintf(r->pool, "%s=%s; path=/",
+ back_cookie_name, back);
+
+ apr_table_setn(r->err_headers_out, "Set-Cookie", cookie);
+@@ -1255,18 +1273,18 @@ redirect(request_rec *r, char *location)
+ }
+
+ /* If back_cookie_name not set, add a back url argument to url */
+- else {
+- char sep = ap_strchr(location, '?') ? ';' : '?';
+- url = apr_psprintf(r->pool, "%s%c%s=%s",
++ else if (back_arg_name) {
++ char sep = ap_strchr(location, '?') ? conf->query_separator[0] : '?';
++ url = apr_psprintf(r->pool, "%s%c%s=%s",
+ location, sep, back_arg_name, back);
+ }
+
+ if (conf->debug >= 2) {
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r,
+ "TKT: redirect '%s'", url);
+ }
+ apr_table_setn(r->headers_out, "Location", url);
+-
++
+ return HTTP_TEMPORARY_REDIRECT;
+ }
+
+@@ -1308,14 +1326,14 @@ get_guest_uid(request_rec *r, auth_tkt_dir_conf *conf)
+ if (regm[1].rm_so != -1) {
+ uuid_length_str = ap_pregsub(r->pool, "$1", guest_user,
+ UUID_SUBS, regm);
+- if (uuid_length_str)
++ if (uuid_length_str)
+ uuid_length = atoi(uuid_length_str);
+ }
+ if (uuid_length <= 0 || uuid_length > APR_UUID_FORMATTED_LENGTH) {
+ uuid_length = APR_UUID_FORMATTED_LENGTH;
+ }
+ if (conf->debug >= 1) {
+- ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
+ "TKT: %%U found in guest user (length %d)", uuid_length);
+ }
+ /* Generate the UUID */
+@@ -1323,7 +1341,7 @@ get_guest_uid(request_rec *r, auth_tkt_dir_conf *conf)
+ uuid_str = apr_palloc(r->pool, APR_UUID_FORMATTED_LENGTH + 1);
+ apr_uuid_get(uuid);
+ apr_uuid_format(uuid_str, uuid);
+- if (uuid_length < APR_UUID_FORMATTED_LENGTH)
++ if (uuid_length < APR_UUID_FORMATTED_LENGTH)
+ uuid_str[uuid_length] = '\0';
+ /* Generate the new guest_user string */
+ guest_user_length = strlen(guest_user);
+@@ -1338,7 +1356,7 @@ get_guest_uid(request_rec *r, auth_tkt_dir_conf *conf)
+ else
+ uuid_post = "";
+
+- return apr_psprintf(r->pool, "%s%s%s",
++ return apr_psprintf(r->pool, "%s%s%s",
+ uuid_pre, uuid_str, uuid_post);
+ }
+
+@@ -1348,7 +1366,7 @@ get_guest_uid(request_rec *r, auth_tkt_dir_conf *conf)
+ }
+
+ /* Set up the guest user info */
+-static int
++static int
+ setup_guest(request_rec *r, auth_tkt_dir_conf *conf, auth_tkt *tkt)
+ {
+ /* Only applicable if guest access on */
+@@ -1359,8 +1377,8 @@ setup_guest(request_rec *r, auth_tkt_dir_conf *conf, auth_tkt *tkt)
+ tkt->uid = get_guest_uid(r, conf);
+ tkt->user_data = "";
+ tkt->tokens = "";
+- ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
+- "TKT: no valid ticket found - accepting as guest user '%s'",
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
++ "TKT: no valid ticket found - accepting as guest user '%s'",
+ tkt->uid);
+
+ return 1;
+@@ -1368,36 +1386,37 @@ setup_guest(request_rec *r, auth_tkt_dir_conf *conf, auth_tkt *tkt)
+
+ /* ----------------------------------------------------------------------- */
+ /* Debug routines */
+-void
+-dump_config(request_rec *r, auth_tkt_serv_conf *sconf, auth_tkt_dir_conf *conf)
++void
++dump_config(request_rec *r, auth_tkt_serv_conf *sconf, auth_tkt_dir_conf *conf)
+ {
+ /* Dump config settings */
+ fprintf(stderr,"[ mod_auth_tkt config ]\n");
+ fprintf(stderr,"URI: %s\n", r->uri);
+- fprintf(stderr,"Filename: %s\n", r->filename);
+- fprintf(stderr,"TKTAuthSecret: %s\n", sconf->secret);
+- fprintf(stderr,"TKTAuthSecretOld: %s\n", sconf->old_secret);
+- fprintf(stderr,"TKTAuthDigestType: %s\n", sconf->digest_type);
+- fprintf(stderr,"digest_sz: %d\n", sconf->digest_sz);
+- fprintf(stderr,"directory: %s\n", conf->directory);
+- fprintf(stderr,"TKTAuthLoginURL: %s\n", conf->login_url);
+- fprintf(stderr,"TKTAuthTimeoutURL: %s\n", conf->timeout_url);
+- fprintf(stderr,"TKTAuthPostTimeoutURL: %s\n", conf->post_timeout_url);
+- fprintf(stderr,"TKTAuthUnauthURL: %s\n", conf->unauth_url);
+- fprintf(stderr,"TKTAuthCookieName: %s\n", conf->auth_cookie_name);
+- fprintf(stderr,"TKTAuthDomain: %s\n", conf->auth_domain);
+- fprintf(stderr,"TKTAuthCookieExpires: %d\n", conf->cookie_expires);
+- fprintf(stderr,"TKTAuthBackCookieName: %s\n", conf->back_cookie_name);
+- fprintf(stderr,"TKTAuthBackArgName: %s\n", conf->back_arg_name);
+- fprintf(stderr,"TKTAuthIgnoreIP: %d\n", conf->ignore_ip);
+- fprintf(stderr,"TKTAuthRequireSSL: %d\n", conf->require_ssl);
+- fprintf(stderr,"TKTAuthCookieSecure: %d\n", conf->secure_cookie);
+- fprintf(stderr,"TKTAuthTimeoutMin: %d\n", conf->timeout_sec);
+- fprintf(stderr,"TKTAuthTimeoutRefresh: %f\n", conf->timeout_refresh);
+- fprintf(stderr,"TKTAuthGuestLogin: %d\n", conf->guest_login);
+- fprintf(stderr,"TKTAuthGuestCookie: %d\n", conf->guest_cookie);
+- fprintf(stderr,"TKTAuthGuestUser: %s\n", conf->guest_user);
+- fprintf(stderr,"TKTAuthGuestFallback %d\n", conf->guest_fallback);
++ fprintf(stderr,"Filename: %s\n", r->filename);
++ fprintf(stderr,"TKTAuthSecret: %s\n", sconf->secret);
++ fprintf(stderr,"TKTAuthSecretOld: %s\n", sconf->old_secret);
++ fprintf(stderr,"TKTAuthDigestType: %s\n", sconf->digest_type);
++ fprintf(stderr,"digest_sz: %d\n", sconf->digest_sz);
++ fprintf(stderr,"directory: %s\n", conf->directory);
++ fprintf(stderr,"TKTAuthLoginURL: %s\n", conf->login_url);
++ fprintf(stderr,"TKTAuthTimeoutURL: %s\n", conf->timeout_url);
++ fprintf(stderr,"TKTAuthPostTimeoutURL: %s\n", conf->post_timeout_url);
++ fprintf(stderr,"TKTAuthUnauthURL: %s\n", conf->unauth_url);
++ fprintf(stderr,"TKTAuthCookieName: %s\n", conf->auth_cookie_name);
++ fprintf(stderr,"TKTAuthDomain: %s\n", conf->auth_domain);
++ fprintf(stderr,"TKTAuthCookieExpires: %d\n", conf->cookie_expires);
++ fprintf(stderr,"TKTAuthBackCookieName: %s\n", conf->back_cookie_name);
++ fprintf(stderr,"TKTAuthBackArgName: %s\n", conf->back_arg_name);
++ fprintf(stderr,"TKTAuthIgnoreIP: %d\n", conf->ignore_ip);
++ fprintf(stderr,"TKTAuthRequireSSL: %d\n", conf->require_ssl);
++ fprintf(stderr,"TKTAuthCookieSecure: %d\n", conf->secure_cookie);
++ fprintf(stderr,"TKTAuthTimeoutMin: %d\n", conf->timeout_sec);
++ fprintf(stderr,"TKTAuthTimeoutRefresh: %f\n", conf->timeout_refresh);
++ fprintf(stderr,"TKTAuthGuestLogin: %d\n", conf->guest_login);
++ fprintf(stderr,"TKTAuthGuestCookie: %d\n", conf->guest_cookie);
++ fprintf(stderr,"TKTAuthGuestUser: %s\n", conf->guest_user);
++ fprintf(stderr,"TKTAuthGuestFallback %d\n", conf->guest_fallback);
++ fprintf(stderr,"TKTAuthQuerySeparator: %c\n", conf->query_separator);
+ if (conf->auth_token->nelts > 0) {
+ char ** auth_token = (char **) conf->auth_token->elts;
+ int i;
+@@ -1416,7 +1435,7 @@ auth_tkt_check(request_rec *r)
+ {
+ char *ticket;
+ auth_tkt *parsed = apr_palloc(r->pool, sizeof(*parsed));
+- auth_tkt_dir_conf *conf =
++ auth_tkt_dir_conf *conf =
+ ap_get_module_config(r->per_dir_config, &auth_tkt_module);
+ auth_tkt_serv_conf *sconf =
+ ap_get_module_config(r->server->module_config, &auth_tkt_module);
+@@ -1432,6 +1451,10 @@ auth_tkt_check(request_rec *r)
+ setup_digest_sz(sconf);
+ }
+
++ /* Map "None" back_arg_name to NULL */
++ if (conf->back_arg_name && strcmp(conf->back_arg_name, "None") == 0)
++ conf->back_arg_name = NULL;
++
+ /* Dump config if debugging */
+ if (conf->debug >= 2)
+ dump_config(r, sconf, conf);
+@@ -1442,21 +1465,21 @@ auth_tkt_check(request_rec *r)
+ }
+ /* Module misconfigured unless secret set */
+ if (! sconf->secret) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
+ "TKT: TKTAuthSecret missing");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ /* Redirect/login if scheme not "https" and require_ssl is set */
+ if (conf->require_ssl > 0 && strcmp(scheme,"https") != 0) {
+- ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
+ "TKT: redirect/login - unsecured request, TKTAuthRequireSSL is on");
+ return redirect(r, conf->login_url);
+ }
+ /* Backwards compatibility mode for TKTAuthRequireSSL */
+ if (conf->require_ssl > 0 && conf->secure_cookie == -1) {
+- /* Set secure_cookie flag if require_ssl is set and secure_cookie is
++ /* Set secure_cookie flag if require_ssl is set and secure_cookie is
+ undefined (as opposed to 'off') */
+- ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, r,
+ "TKT: TKTAuthRequireSSL on, but no TKTAuthCookieSecure found - "
+ "please set TKTAuthCookieSecure explicitly, assuming 'on'");
+ conf->secure_cookie = 1;
+@@ -1472,13 +1495,13 @@ auth_tkt_check(request_rec *r)
+ }
+ if (! guest) {
+ if (conf->login_url) {
+- ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
+ "TKT: no valid ticket found - redirecting to login url");
+ return redirect(r, conf->login_url);
+ }
+ else {
+ /* Fatal error: guest setup failed, but we have no login url defined */
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
+ "TKT: guest login failed and no login url to fall back to - aborting");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+@@ -1505,7 +1528,7 @@ auth_tkt_check(request_rec *r)
+ }
+ else {
+ /* Fatal error: guest setup failed, but we have no url to redirect to */
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
+ "TKT: ticket timeout, guest login failed, and no url to fall back to - aborting");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+@@ -1546,11 +1569,11 @@ auth_tkt_check(request_rec *r)
+ /* Apache 1.3 style */
+
+ module MODULE_VAR_EXPORT auth_tkt_module = {
+- STANDARD_MODULE_STUFF,
++ STANDARD_MODULE_STUFF,
+ auth_tkt_version, /* initializer */
+- create_auth_tkt_config, /* create per-dir config structures */
+- merge_auth_tkt_config, /* merge per-dir config structures */
+- create_auth_tkt_serv_config, /* create per-server config structures */
++ create_auth_tkt_config, /* create per-dir config structures */
++ merge_auth_tkt_config, /* merge per-dir config structures */
++ create_auth_tkt_serv_config, /* create per-server config structures */
+ merge_auth_tkt_serv_config, /* merge per-server config structures */
+ auth_tkt_cmds, /* table of config file commands */
+ NULL, /* handlers */
+@@ -1580,10 +1603,10 @@ auth_tkt_register_hooks (apr_pool_t *p)
+
+ /* Declare and populate the main module data structure */
+ module AP_MODULE_DECLARE_DATA auth_tkt_module = {
+- STANDARD20_MODULE_STUFF,
+- create_auth_tkt_config, /* create per-dir config structures */
+- merge_auth_tkt_config, /* merge per-dir config structures */
+- create_auth_tkt_serv_config, /* create per-server config structures */
++ STANDARD20_MODULE_STUFF,
++ create_auth_tkt_config, /* create per-dir config structures */
++ merge_auth_tkt_config, /* merge per-dir config structures */
++ create_auth_tkt_serv_config, /* create per-server config structures */
+ merge_auth_tkt_serv_config, /* merge per-server config structures */
+ auth_tkt_cmds, /* table of config file commands */
+ auth_tkt_register_hooks /* register hooks */
+@@ -1591,6 +1614,6 @@ module AP_MODULE_DECLARE_DATA auth_tkt_module = {
+
+ #endif
+
+-/*
+- * vim:sw=2:sm
++/*
++ * vim:sw=2:sm:et
+ */
+diff --git a/t/extra.conf.1.in b/t/extra.conf.1.in
+index 3466a93..7fac764 100644
+--- a/t/extra.conf.1.in
++++ b/t/extra.conf.1.in
+@@ -240,6 +240,24 @@ TKTAuthDigestType "MD5"
+ TKTAuthGuestFallback on
+ </Location>
+
++# secret_back_explicit - explicit TKTAuthBackArgName
++<Location /secret_back_explicit>
++ AuthType None
++ require valid-user
++ TKTAuthLoginURL http://localhost/pub/login.cgi
++ TKTAuthBackArgName redirect_to
++ TKTAuthDebug 2
++</Location>
++
++# secret_back_none - null TKTAuthBackArgName
++<Location /secret_back_none>
++ AuthType None
++ require valid-user
++ TKTAuthLoginURL http://localhost/pub/login.cgi
++ TKTAuthBackArgName None
++ TKTAuthDebug 2
++</Location>
++
+ # virtual host testing - with per-host secret
+ <VirtualHost VHostLocalSecret>
+ TKTAuthSecret "vhostlocalsecret"
+diff --git a/t/extra.conf.2.in b/t/extra.conf.2.in
+index d2e5c03..d0e2770 100644
+--- a/t/extra.conf.2.in
++++ b/t/extra.conf.2.in
+@@ -346,6 +346,24 @@ TKTAuthDigestType "MD5"
+ TKTAuthGuestFallback on
+ </Location>
+
++# secret_back_explicit - explicit TKTAuthBackArgName
++<Location /secret_back_explicit>
++ AuthType None
++ require valid-user
++ TKTAuthLoginURL http://localhost/pub/login.cgi
++ TKTAuthBackArgName redirect_to
++ TKTAuthDebug 2
++</Location>
++
++# secret_back_none - null TKTAuthBackArgName
++<Location /secret_back_none>
++ AuthType None
++ require valid-user
++ TKTAuthLoginURL http://localhost/pub/login.cgi
++ TKTAuthBackArgName None
++ TKTAuthDebug 2
++</Location>
++
+ # virtual host testing - with per-host secret
+ <VirtualHost VHostLocalSecret>
+ DocumentRoot @documentroot@/vhost_local_secret
generated by cgit (git 2.34.1) at 2024-11-05 20:34:45 +0800