From 10ad934b77f6af80410d9055ea6bcc1bd06b67ad Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 8 Feb 2022 15:44:18 -0700
Subject: [PATCH] Don't escape double quotes (") in a command when printing it.
 Previously, cvtsudoers and "sudo -l" would escape double quotes in a command
 or command line argument, which is not valid sudoers syntax.

---
 plugins/sudoers/fmtsudoers.c                    |  4 ++--
 plugins/sudoers/parse.h                         |  4 +++-
 plugins/sudoers/regress/sudoers/test2.in        |  3 +++
 plugins/sudoers/regress/sudoers/test2.json.ok   | 17 +++++++++++++++++
 plugins/sudoers/regress/sudoers/test2.ldif.ok   | 11 +++++++++++
 .../sudoers/regress/sudoers/test2.ldif2sudo.ok  |  3 +++
 plugins/sudoers/regress/sudoers/test2.out.ok    |  1 +
 plugins/sudoers/regress/sudoers/test2.toke.ok   |  3 +++
 8 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/plugins/sudoers/fmtsudoers.c b/plugins/sudoers/fmtsudoers.c
index eb22b9b2b..7daef40a8 100644
--- a/plugins/sudoers/fmtsudoers.c
+++ b/plugins/sudoers/fmtsudoers.c
@@ -68,11 +68,11 @@ sudoers_format_member_int(struct sudo_lbuf *lbuf,
 	    }
 	    if (negated)
 		sudo_lbuf_append(lbuf, "!");
-	    sudo_lbuf_append_quoted(lbuf, SUDOERS_QUOTED" \t", "%s",
+	    sudo_lbuf_append_quoted(lbuf, SUDOERS_QUOTED_CMD, "%s",
 		c->cmnd ? c->cmnd : "ALL");
 	    if (c->args) {
 		sudo_lbuf_append(lbuf, " ");
-		sudo_lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", c->args);
+		sudo_lbuf_append_quoted(lbuf, SUDOERS_QUOTED_ARG, "%s", c->args);
 	    }
 	    break;
 	case USERGROUP:
diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h
index fc26ff2f1..045ff1b34 100644
--- a/plugins/sudoers/parse.h
+++ b/plugins/sudoers/parse.h
@@ -24,7 +24,9 @@
 #include "sudo_queue.h"
 
 /* Characters that must be quoted in sudoers. */
-#define SUDOERS_QUOTED	":\\,=#\""
+#define SUDOERS_QUOTED		":\\,=#\""
+#define SUDOERS_QUOTED_CMD	":\\,= \t#"
+#define SUDOERS_QUOTED_ARG	":\\,=#"
 
 /* Returns true if string 's' contains meta characters. */
 #define has_meta(s)	(strpbrk(s, "\\?*[]") != NULL)
diff --git a/plugins/sudoers/regress/sudoers/test2.in b/plugins/sudoers/regress/sudoers/test2.in
index cfdfaa34a..b81ae544f 100644
--- a/plugins/sudoers/regress/sudoers/test2.in
+++ b/plugins/sudoers/regress/sudoers/test2.in
@@ -58,3 +58,6 @@ Defaults>"some one" set_home
 "%:C/non_UNIX_0 c"	"hostf" = ("root") ALL
 "%:C/non\'UNIX_3 c"	"hostg" = ("root") ALL
 "+netgr"		"hosth" = ("root") ALL
+
+# Check that quotes don't need escaping in command and args
+user ALL = /bin/ls "", /bin/echo " ", /bin/foo"bar ""
diff --git a/plugins/sudoers/regress/sudoers/test2.json.ok b/plugins/sudoers/regress/sudoers/test2.json.ok
index 769c3fd08..46e4c4869 100644
--- a/plugins/sudoers/regress/sudoers/test2.json.ok
+++ b/plugins/sudoers/regress/sudoers/test2.json.ok
@@ -398,6 +398,23 @@
                     ]
                 }
             ]
+        },
+        {
+            "User_List": [
+                { "username": "user" }
+            ],
+            "Host_List": [
+                { "hostname": "ALL" }
+            ],
+            "Cmnd_Specs": [
+                {
+                    "Commands": [
+                        { "command": "/bin/ls \"\"" },
+                        { "command": "/bin/echo \" \"" },
+                        { "command": "/bin/foo\"bar \"\"" }
+                    ]
+                }
+            ]
         }
     ]
 }
diff --git a/plugins/sudoers/regress/sudoers/test2.ldif.ok b/plugins/sudoers/regress/sudoers/test2.ldif.ok
index 48ba6551c..31d708f64 100644
--- a/plugins/sudoers/regress/sudoers/test2.ldif.ok
+++ b/plugins/sudoers/regress/sudoers/test2.ldif.ok
@@ -155,3 +155,14 @@ sudoRunAsUser: root
 sudoCommand: ALL
 sudoOrder: 13
 
+dn: cn=user,ou=SUDOers,dc=sudo,dc=ws
+objectClass: top
+objectClass: sudoRole
+cn: user
+sudoUser: user
+sudoHost: ALL
+sudoCommand: /bin/ls ""
+sudoCommand: /bin/echo " "
+sudoCommand: /bin/foo"bar ""
+sudoOrder: 14
+
diff --git a/plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok
index 7039523c6..0277437d6 100644
--- a/plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok
+++ b/plugins/sudoers/regress/sudoers/test2.ldif2sudo.ok
@@ -36,3 +36,6 @@ foo\:bar\" hoste = (root) ALL
 
 # sudoRole +netgr
 +netgr hosth = (root) ALL
+
+# sudoRole user
+user ALL = /bin/ls "", /bin/echo " ", /bin/foo"bar ""
diff --git a/plugins/sudoers/regress/sudoers/test2.out.ok b/plugins/sudoers/regress/sudoers/test2.out.ok
index c99f6d060..99171b9b2 100644
--- a/plugins/sudoers/regress/sudoers/test2.out.ok
+++ b/plugins/sudoers/regress/sudoers/test2.out.ok
@@ -40,3 +40,4 @@ foo\:bar\" hoste = (root) ALL
 "%:C/non_UNIX_0 c" hostf = (root) ALL
 "%:C/non\'UNIX_3 c" hostg = (root) ALL
 +netgr hosth = (root) ALL
+user ALL = /bin/ls "", /bin/echo " ", /bin/foo"bar ""
diff --git a/plugins/sudoers/regress/sudoers/test2.toke.ok b/plugins/sudoers/regress/sudoers/test2.toke.ok
index 63e164821..4c4b88d09 100644
--- a/plugins/sudoers/regress/sudoers/test2.toke.ok
+++ b/plugins/sudoers/regress/sudoers/test2.toke.ok
@@ -58,3 +58,6 @@ BEGINSTR STRBODY ENDSTR USERGROUP BEGINSTR STRBODY ENDSTR WORD(4) = ( BEGINSTR S
 BEGINSTR STRBODY ENDSTR USERGROUP BEGINSTR STRBODY ENDSTR WORD(4) = ( BEGINSTR STRBODY ENDSTR WORD(4) ) ALL 
 BEGINSTR STRBODY BACKSLASH STRBODY ENDSTR USERGROUP BEGINSTR STRBODY ENDSTR WORD(4) = ( BEGINSTR STRBODY ENDSTR WORD(4) ) ALL 
 BEGINSTR STRBODY ENDSTR NETGROUP BEGINSTR STRBODY ENDSTR WORD(4) = ( BEGINSTR STRBODY ENDSTR WORD(4) ) ALL 
+
+#
+WORD(6) ALL = COMMAND ARG , COMMAND ARG ARG , COMMAND ARG