From: Nick Porter <nick@portercomputing.co.uk>
Date: Mon, 17 Feb 2025 17:53:09 +0000 (+0000)
Subject: Remove & from policy files
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8aee287b239a3d3d532e1af15334fb1fc8c2f26;p=thirdparty%2Ffreeradius-server.git

Remove & from policy files
---

diff --git a/raddb/policy.d/accounting b/raddb/policy.d/accounting
index 0227aaff4e8..19f6c757556 100644
--- a/raddb/policy.d/accounting
+++ b/raddb/policy.d/accounting
@@ -57,8 +57,8 @@ acct_unique {
 	#  initial authentication session (Common in a
 	#  wireless environment).
 	#
-	if ("%{Class}" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) {
-		&request.Acct-Unique-Session-Id := %hex(%md5("%{1}%{Acct-Session-ID}"))
+	if (Class =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) {
+		request.Acct-Unique-Session-Id := %hex(%md5("%{1}%{Acct-Session-ID}"))
 	}
 
 	#
@@ -68,7 +68,7 @@ acct_unique {
 	#  is not included
 	#
 	else {
-		&request.Acct-Unique-Session-Id := %hex(%md5("%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{&NAS-IPv6-Address || &NAS-IP-Address},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}"))
+		request.Acct-Unique-Session-Id := %hex(%md5("%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{&NAS-IPv6-Address || &NAS-IP-Address},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}"))
 	}
 }
 
@@ -76,7 +76,7 @@ acct_unique {
 #	Insert a (hopefully unique) value into class
 #
 insert_acct_class {
-	&reply.Class = '${policy.class_value_prefix}' + %hex(%md5("%t%I%{Net.Src.Port}%{Net.Src.IP}%{NAS-IP-Address}%{Calling-Station-ID}%{User-Name}"))
+	reply.Class = '${policy.class_value_prefix}' + %hex(%md5("%t%I%{Net.Src.Port}%{Net.Src.IP}%{NAS-IP-Address}%{Calling-Station-ID}%{User-Name}"))
 }
 
 #
@@ -85,17 +85,17 @@ insert_acct_class {
 #	If the &Attr-Foo doesn't exist, it's value is taken as zero.
 #
 acct_counters64 {
-	if (!&Acct-Input-Gigawords) {
-		&request.Acct-Input-Octets64 := %{&Acct-Input-Octets || 0}
+	if (!Acct-Input-Gigawords) {
+		request.Acct-Input-Octets64 := %{Acct-Input-Octets || 0}
 	}
 	else {
-		&request.Acct-Input-Octets64 =  (((uint64) &Acct-Input-Gigawords) << 32) | (uint64) &Acct-Input-Octets
+		request.Acct-Input-Octets64 =  (((uint64) Acct-Input-Gigawords) << 32) | (uint64) Acct-Input-Octets
 	}
-	if (!&Acct-Output-Gigawords) {
-		&request.Acct-Output-Octets64 := %{&Acct-Output-Octets || 0}
+	if (!Acct-Output-Gigawords) {
+		request.Acct-Output-Octets64 := %{Acct-Output-Octets || 0}
 	}
 	else {
-		&request.Acct-Output-Octets64 = (((uint64) &Acct-Output-Gigawords) << 32) | (uint64) &Acct-Output-Octets
+		request.Acct-Output-Octets64 = (((uint64) Acct-Output-Gigawords) << 32) | (uint64) Acct-Output-Octets
 	}
 }
 
diff --git a/raddb/policy.d/canonicalisation b/raddb/policy.d/canonicalisation
index ae6955797e7..7ab2c3b89cb 100644
--- a/raddb/policy.d/canonicalisation
+++ b/raddb/policy.d/canonicalisation
@@ -17,15 +17,15 @@
 nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$'
 
 split_username_nai {
-	if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) {
-		&request.Stripped-User-Name := "%{1}"
+	if (User-Name && (User-Name =~ /${policy.nai_regexp}/)) {
+		request.Stripped-User-Name := "%{1}"
 
 
 		# Only add the Stripped-User-Domain attribute if
 		# we have a domain. This means presence checks
 		# for Stripped-User-Domain work.
 		if ("%{3}" != '') {
-			&request.Stripped-User-Domain = "%{3}"
+			request.Stripped-User-Domain = "%{3}"
 		}
 
 		# If any of the expansions result in a null
@@ -51,12 +51,12 @@ mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^
 #  be provided by 802.1X authenticators.
 #
 rewrite_called_station_id {
-	if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) {
-		&request.Called-Station-Id := "%toupper(%{1}-%{2}-%{3}-%{4}-%{5}-%{6})"
+	if (Called-Station-Id && (Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) {
+		request.Called-Station-Id := "%toupper(%{1}-%{2}-%{3}-%{4}-%{5}-%{6})"
 
 		# SSID component?
 		if ("%{8}") {
-			&request.Called-Station-SSID := "%{8}"
+			request.Called-Station-SSID := "%{8}"
 		}
 		updated
 	}
@@ -73,8 +73,8 @@ rewrite_called_station_id {
 #  be provided by 802.1X authenticators.
 #
 rewrite_calling_station_id {
-	if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) {
-		&request.Calling-Station-Id := "%toupper(%{1}-%{2}-%{3}-%{4}-%{5}-%{6})"
+	if (Calling-Station-Id && (Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) {
+		request.Calling-Station-Id := "%toupper(%{1}-%{2}-%{3}-%{4}-%{5}-%{6})"
 
 		updated
 	}
diff --git a/raddb/policy.d/control b/raddb/policy.d/control
index d4a9a25e039..b1bfce21993 100644
--- a/raddb/policy.d/control
+++ b/raddb/policy.d/control
@@ -3,7 +3,7 @@
 #  then use the "do_not_respond" policy.
 #
 do_not_respond {
-	&reply.Packet-Type := ::Do-Not-Respond
+	reply.Packet-Type := ::Do-Not-Respond
 
 	handled
 }
@@ -12,7 +12,7 @@ do_not_respond {
 #  Send Access-Accept immediately
 #
 accept {
-	&reply.Packet-Type := ::Access-Accept
+	reply.Packet-Type := ::Access-Accept
 
 	handled
 }
@@ -21,7 +21,7 @@ accept {
 #  Send Access-Challenge immediately
 #
 challenge {
-	&reply.Packet-Type := ::Access-Challenge
+	reply.Packet-Type := ::Access-Challenge
 
 	handled
 }
@@ -30,7 +30,7 @@ challenge {
 #  Send an Accounting-Response immediately
 #
 acct_response {
-	&reply.Packet-Type := ::Accounting-Response
+	reply.Packet-Type := ::Accounting-Response
 
 	handled
 }
@@ -42,8 +42,8 @@ acct_response {
 #  include the original packet code in the reply.
 #
 protocol_error {
-	&reply.Packet-Type := Accounting-Response
-	&reply.Original-Packet-Code := "%{Packet-Type}"
+	reply.Packet-Type := ::Accounting-Response
+	reply.Original-Packet-Code := Packet-Type
 
 	handled
 }
@@ -52,7 +52,7 @@ protocol_error {
 #  Discard the packet without replying
 #
 discard {
-	&reply.Packet-Type := ::Do-Not-Respond
+	reply.Packet-Type := ::Do-Not-Respond
 
 	handled
 }
diff --git a/raddb/policy.d/cui b/raddb/policy.d/cui
index c70952d92f1..78fbf9ae0c8 100644
--- a/raddb/policy.d/cui
+++ b/raddb/policy.d/cui
@@ -40,7 +40,7 @@ cui_require_operator_name = "no"
 #
 cui.authorize {
 	if ("%client(add_cui)" == 'yes') {
-		&request.Chargeable-User-Identity := 0x00
+		request.Chargeable-User-Identity := 0x00
 	}
 }
 
@@ -52,9 +52,9 @@ cui.authorize {
 #  use_tunneled_reply parameter MUST be set to yes
 #
 cui.post-auth {
-	if (!&control.Proxy-To-Realm && &Chargeable-User-Identity && !&reply.Chargeable-User-Identity &&
-	    (&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
-		&reply.Chargeable-User-Identity = "%sha1(${policy.cui_hash_key}%tolower(%{User-Name}%{&Operator-Name || ''}))"
+	if (!control.Proxy-To-Realm && Chargeable-User-Identity && !reply.Chargeable-User-Identity &&
+	    (Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
+		reply.Chargeable-User-Identity = "%sha1(${policy.cui_hash_key}%tolower(%{User-Name}%{Operator-Name || ''}))"
 	}
 
 	#
@@ -65,9 +65,9 @@ cui.post-auth {
 	#  If your NAS can do CUI based accounting themselves or you do not care about
 	#  accounting, comment out the 'cuisql' line below.
 	#
-	if (&reply.Chargeable-User-Identity) {
+	if (reply.Chargeable-User-Identity) {
 		# Force User-Name to be the User-Name from the request
-		&reply.User-Name := &request.User-Name
+		reply.User-Name := &request.User-Name
 
 		cuisql
 	}
@@ -75,9 +75,9 @@ cui.post-auth {
 
 
 cui-inner.post-auth {
-	if (&outer.request.Chargeable-User-Identity && \
-	    (&outer.request.Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
-		&reply.Chargeable-User-Identity := "%sha1(${policy.cui_hash_key}%tolower(%{User-Name}%{&outer.request.Operator-Name || ''}))"
+	if (outer.request.Chargeable-User-Identity && \
+	    (outer.request.Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
+		reply.Chargeable-User-Identity := "%sha1(${policy.cui_hash_key}%tolower(%{User-Name}%{outer.request.Operator-Name || ''}))"
 	}
 }
 
@@ -92,8 +92,8 @@ cui.accounting {
 	#  If the CUI isn't in the packet, see if we can find it
 	#  in the DB.
 	#
-	if (!&Chargeable-User-Identity) {
-		&request.Chargeable-User-Identity := %cuisql(\
+	if (!Chargeable-User-Identity) {
+		request.Chargeable-User-Identity := %cuisql(\
 				SELECT cui FROM cui \
 				WHERE clientipaddress = '%{Net.Src.IP}' \
 				AND callingstationid = '%{Calling-Station-Id}' \
@@ -104,7 +104,7 @@ cui.accounting {
 	#  If it exists now, then write out when we last saw
 	#  this CUI.
 	#
-	if (&Chargeable-User-Identity && (&Chargeable-User-Identity != '')) {
+	if (Chargeable-User-Identity && (Chargeable-User-Identity != '')) {
 		cuisql
 	}
 }
diff --git a/raddb/policy.d/dhcp b/raddb/policy.d/dhcp
index 12548fdce0d..bca5b7ff183 100644
--- a/raddb/policy.d/dhcp
+++ b/raddb/policy.d/dhcp
@@ -3,11 +3,11 @@ dhcp_common {
 	#  The contents here are invented.  Change them!
 	#  Lease time is referencing the lease time set in the
 	#  named module instance configuration
-	&reply.Domain-Name-Server = 127.0.0.1
-	&reply.Domain-Name-Server = 127.0.0.2
-	&reply.Subnet-Mask = 255.255.255.0
-	&reply.Router-Address = 192.0.2.1
-	&reply.IP-Address-Lease-Time = 7200
-#	&reply.IP-Address-Lease-Time = "${modules.sqlippool[sqlippool].lease_duration}"
-	&reply.Server-Identifier = &control.Server-Identifier
+	reply.Domain-Name-Server = 127.0.0.1
+	reply.Domain-Name-Server = 127.0.0.2
+	reply.Subnet-Mask = 255.255.255.0
+	reply.Router-Address = 192.0.2.1
+	reply.IP-Address-Lease-Time = 7200
+#	reply.IP-Address-Lease-Time = "${modules.sqlippool[sqlippool].lease_duration}"
+	reply.Server-Identifier = &control.Server-Identifier
 }
diff --git a/raddb/policy.d/eap b/raddb/policy.d/eap
index 31faa8d4d0e..990508b8a2c 100644
--- a/raddb/policy.d/eap
+++ b/raddb/policy.d/eap
@@ -3,7 +3,7 @@
 #       into the "recv Access-Request" section.
 #
 forbid_eap {
-	if (&EAP-Message) {
+	if (EAP-Message) {
 		reject
 	}
 }
@@ -12,12 +12,12 @@ forbid_eap {
 #       Forbid all non-EAP types outside of an EAP tunnel.
 #
 permit_only_eap {
-	if (!&EAP-Message) {
+	if (!EAP-Message) {
 		#  We MAY be inside of a TTLS tunnel.
 		#  PEAP and EAP-FAST require EAP inside of
 		#  the tunnel, so this check is OK.
 		#  If so, then there MUST be an outer EAP message.
-		if (!&outer.request || !&outer.request.EAP-Message) {
+		if (!outer.request || !outer.request.EAP-Message) {
 			reject
 		}
 	}
@@ -30,8 +30,8 @@ permit_only_eap {
 #  not be present in the same response.
 #
 remove_reply_message_if_eap {
-	if (&reply.EAP-Message && &reply.Reply-Message) {
-		&reply -= &Reply-Message[*]
+	if (reply.EAP-Message && reply.Reply-Message) {
+		reply -= &Reply-Message[*]
 	}
 	else {
 		noop
@@ -46,8 +46,8 @@ remove_reply_message_if_eap {
 #	to copy now have to be explicitly listed.
 #
 copy_request_to_tunnel {
-	&request.Calling-Station-Id = &outer.request.Calling-Station-Id
-	&request.Called-Station-Id = &outer.request.Called-Station-Id
+	request.Calling-Station-Id = outer.request.Calling-Station-Id
+	request.Called-Station-Id = outer.request.Called-Station-Id
 }
 
 #
@@ -62,7 +62,7 @@ use_tunneled_reply {
 	#  These attributes are for the inner-tunnel only,
 	#  and MUST NOT be copied to the outer reply.
 	#
-	&reply -= &User-Name[*]
+	reply -= &User-Name[*]
 
 	#
 	#  Copy the remaining inner reply attributes to the outer
@@ -73,6 +73,6 @@ use_tunneled_reply {
 	#  'send Access-Accept' policy in sites-available/default will
 	#  copy the outer session-state list to the final reply.
 	#
-	&outer.session-state += &reply
+	outer.session-state += reply
 }
 
diff --git a/raddb/policy.d/filter b/raddb/policy.d/filter
index 54441a3e28a..f67202b562b 100644
--- a/raddb/policy.d/filter
+++ b/raddb/policy.d/filter
@@ -3,7 +3,7 @@
 #	realms.
 #
 deny_realms {
-	if (&User-Name && (&User-Name =~ /@|\\/)) {
+	if (User-Name && (User-Name =~ /@|\\/)) {
 		reject
 	}
 }
@@ -16,28 +16,28 @@ deny_realms {
 #  what constitutes a user name.
 #
 filter_username {
-	if (&State) {
-		if (&User-Name) {
-			if (!&session-state.Session-State-User-Name) {
-				&request += {
-					&Module-Failure-Message = "No cached session-state.Session-State-User-Name"
+	if (State) {
+		if (User-Name) {
+			if (!session-state.Session-State-User-Name) {
+				request += {
+					Module-Failure-Message = "No cached session-state.Session-State-User-Name"
 				}
 				reject
 			}
 
-			if (&User-Name != &session-state.Session-State-User-Name) {
-				&request += {
-					&Module-Failure-Message = "User-Name does not match cached session-state.Session-State-User-Name"
+			if (User-Name != session-state.Session-State-User-Name) {
+				request += {
+					Module-Failure-Message = "User-Name does not match cached session-state.Session-State-User-Name"
 				}
 				reject
 			}
 		}
 	}
-	elsif (&User-Name) {
+	elsif (User-Name) {
 		#
 		#  reject mixed case e.g. "UseRNaMe"
 		#
-		#if (&User-Name != "%tolower(%{User-Name}}") {
+		#if (User-Name != "%tolower(%{User-Name}}") {
 		#	reject
 		#}
 
@@ -45,9 +45,9 @@ filter_username {
 		#  reject all whitespace
 		#  e.g. "user@ site.com", or "us er", or " user", or "user "
 		#
-		if (&User-Name =~ / /) {
-			&request += {
-				&Module-Failure-Message = "User-Name contains whitespace"
+		if (User-Name =~ / /) {
+			request += {
+				Module-Failure-Message = "User-Name contains whitespace"
 			}
 			reject
 		}
@@ -56,9 +56,9 @@ filter_username {
 		#  reject Multiple @'s
 		#  e.g. "user@site.com@site.com"
 		#
-		if (&User-Name =~ /@[^@]*@/ ) {
-			&request += {
-				&Module-Failure-Message = "Multiple @ in User-Name"
+		if (User-Name =~ /@[^@]*@/ ) {
+			request += {
+				Module-Failure-Message = "Multiple @ in User-Name"
 			}
 			reject
 		}
@@ -67,9 +67,9 @@ filter_username {
 		#  reject double dots
 		#  e.g. "user@site..com"
 		#
-		if (&User-Name =~ /\.\./ ) {
-			&request += {
-				&Module-Failure-Message = "User-Name contains multiple dots (e.g. user@site..com)"
+		if (User-Name =~ /\.\./ ) {
+			request += {
+				Module-Failure-Message = "User-Name contains multiple dots (e.g. user@site..com)"
 			}
 			reject
 		}
@@ -78,9 +78,9 @@ filter_username {
 		#  must have at least 1 string-dot-string after @
 		#  e.g. "user@site.com"
 		#
-		if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/))  {
-			&request += {
-				&Module-Failure-Message = "Realm does not have at least one dot separator"
+		if ((User-Name =~ /@/) && (User-Name !~ /@[^.]+(\.[^.]+)+$/))  {
+			request += {
+				Module-Failure-Message = "Realm does not have at least one dot separator"
 			}
 			reject
 		}
@@ -89,9 +89,9 @@ filter_username {
 		#  Realm ends with a dot
 		#  e.g. "user@site.com."
 		#
-		if (&User-Name =~ /\.$/)  {
-			&request += {
-				&Module-Failure-Message = "Realm ends with a dot"
+		if (User-Name =~ /\.$/)  {
+			request += {
+				Module-Failure-Message = "Realm ends with a dot"
 			}
 			reject
 		}
@@ -100,14 +100,14 @@ filter_username {
 		#  Realm begins with a dot
 		#  e.g. "user@.site.com"
 		#
-		if (&User-Name =~ /@\./)  {
-			&request += {
-				&Module-Failure-Message = "Realm begins with a dot"
+		if (User-Name =~ /@\./)  {
+			request += {
+				Module-Failure-Message = "Realm begins with a dot"
 			}
 			reject
 		}
 
-		&session-state.Session-State-User-Name := &User-Name
+		session-state.Session-State-User-Name := User-Name
 	}
 }
 
@@ -118,17 +118,17 @@ filter_username {
 #  This policy filters them out.
 #
 filter_password {
-	if &User-Password {
+	if User-Password {
    		group tmp
 		octets delim
 
 		#
 		#  Because "\000" yields "zero length delimiter is not allowed"
 		#
-		&delim = 0x00
-		&tmp.User-Password := %explode(%{User-Password}, "%{delim}")
+		delim = 0x00
+		tmp.User-Password := %explode(%{User-Password}, "%{delim}")
 
-		&User-Password := &tmp.User-Password[0]
+		User-Password := tmp.User-Password[0]
 	}
 }
 
@@ -136,9 +136,9 @@ filter_inner_identity {
 	#
 	#  No names, reject.
 	#
-	if (!&outer.request.User-Name || !&User-Name) {
-		&request += {
-			&Module-Failure-Message = "User-Name is required for tunneled authentication"
+	if (!outer.request.User-Name || !User-Name) {
+		request += {
+			Module-Failure-Message = "User-Name is required for tunneled authentication"
 		}
 		reject
 	}
@@ -150,12 +150,12 @@ filter_inner_identity {
 	#  If the NAIs are the same, it violates user privacy,
 	#  but is allowed.
 	#
-	if (&outer.request.User-Name != &User-Name) {
+	if (outer.request.User-Name != User-Name) {
 		#
 		#  Get the outer realm.
 		#
-		if (&outer.request.User-Name =~ /@([^@]+)$/) {
-			&request.Outer-Realm-Name = %{1}
+		if (outer.request.User-Name =~ /@([^@]+)$/) {
+			request.Outer-Realm-Name = %{1}
 
 			#
 			#  When we have an outer realm name, the user portion
@@ -164,9 +164,9 @@ filter_inner_identity {
 			#  We don't check for the full "anonymous", because
 			#  some vendors don't follow the standards.
 			#
-			if (&outer.request.User-Name !~ /^(anon|@)/) {
-				&request += {
-					&Module-Failure-Message = "User-Name is not anonymized"
+			if (outer.request.User-Name !~ /^(anon|@)/) {
+				request += {
+					Module-Failure-Message = "User-Name is not anonymized"
 				}
 				reject
 			}
@@ -179,9 +179,9 @@ filter_inner_identity {
 		#  Otherwise, you could log in as outer "bob", and inner "doug",
 		#  and we'd have no idea which one was correct.
 		#
-		elsif (&outer.request.User-Name !~ /^anon/) {
-			&request += {
-				&Module-Failure-Message = "User-Name is not anonymized"
+		elsif (outer.request.User-Name !~ /^anon/) {
+			request += {
+				Module-Failure-Message = "User-Name is not anonymized"
 			}
 			reject
 		}
@@ -189,8 +189,8 @@ filter_inner_identity {
 		#
 		#  Get the inner realm.
 		#
-		if (&User-Name =~ /@([^@]+)$/) {
-			&request.Inner-Realm-Name = %{1}
+		if (User-Name =~ /@([^@]+)$/) {
+			request.Inner-Realm-Name = %{1}
 
 			#
 			#  Note that we do EQUALITY checks for realm names.
@@ -203,11 +203,11 @@ filter_inner_identity {
 			#  If the inner realm isn't the same as the outer realm,
 			#  the inner realm MUST be a subdomain of the outer realm.
 			#
-			if (&Outer-Realm-Name && \
-			    (&Inner-Realm-Name != &Outer-Realm-Name) && \
-			    (&Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) {
-				&request += {
-					&Module-Failure-Message = "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain."
+			if (Outer-Realm-Name && \
+			    (Inner-Realm-Name != Outer-Realm-Name) && \
+			    (Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) {
+				request += {
+					Module-Failure-Message = "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain."
 				}
 				reject
 			}
diff --git a/raddb/policy.d/operator-name b/raddb/policy.d/operator-name
index 467d770f14a..8fff08761a8 100644
--- a/raddb/policy.d/operator-name
+++ b/raddb/policy.d/operator-name
@@ -27,6 +27,6 @@
 #
 operator-name.authorize {
 	if ("%client(Operator-Name)") {
-		&request.Operator-Name = "%client(Operator-Name)"
+		request.Operator-Name = "%client(Operator-Name)"
 	}
 }
diff --git a/raddb/policy.d/time b/raddb/policy.d/time
index 2dbec4cbada..45b5f3d8530 100644
--- a/raddb/policy.d/time
+++ b/raddb/policy.d/time
@@ -2,19 +2,19 @@
 # Handles the Expiration attribute
 #
 expiration {
-	if (&control.Expiration) {
+	if (control.Expiration) {
 		time_delta when
 
 		#
 		#  %l is "when the server received the request"
 		#
-		if (&control.Expiration < %l) {
+		if (control.Expiration < %l) {
 			disallow
 			return
 		}
 
-		&when = &control.Expiration - %l
+		&when = control.Expiration - %l
 
-		&reply.Session-Timeout <= &when
+		reply.Session-Timeout <= &when
 	}
 }
diff --git a/raddb/policy.d/vendor b/raddb/policy.d/vendor
index 8cb0da4b7e9..8b99b0909b1 100644
--- a/raddb/policy.d/vendor
+++ b/raddb/policy.d/vendor
@@ -7,7 +7,7 @@
 broadsoft-decode {
 	foreach value ( BroadSoft-Attr-255 ) {
 		if (value =~ /^([0-9]+)=(.*)$/) {
-				"&request.BroadSoft-Attr-%{1}" += "%{2}"
+			"request.BroadSoft-Attr-%{1}" += "%{2}"
 		}
 	}