From: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Thu, 17 May 2018 17:16:44 +0000 (-0600)
Subject: rfc2253 says we need to escape " and leading and trailing space.
X-Git-Tag: SUDO_1_8_24^2~69
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7d42a609d9885cce4b4e4a35dae4734d13d93e7d;p=sudo

rfc2253 says we need to escape " and leading and trailing space.
---

diff --git a/plugins/sudoers/cvtsudoers_ldif.c b/plugins/sudoers/cvtsudoers_ldif.c
index 39f9015c9..973d240b8 100644
--- a/plugins/sudoers/cvtsudoers_ldif.c
+++ b/plugins/sudoers/cvtsudoers_ldif.c
@@ -326,6 +326,7 @@ print_cmndspec_ldif(FILE *fp, struct cmndspec *cs, struct cmndspec **nextp, stru
 
 /*
  * Convert user name to cn, avoiding duplicates and quoting as needed.
+ * See http://www.faqs.org/rfcs/rfc2253.html
  */
 static char *
 user_to_cn(const char *user)
@@ -363,19 +364,23 @@ user_to_cn(const char *user)
     for (src = user, dst = cn; *src != '\0'; src++) {
 	switch (*src) {
 	case ',':
-	case '\\':
-	case '#':
 	case '+':
+	case '"':
+	case '\\':
 	case '<':
 	case '>':
+	case '#':
 	case ';':
-	    *dst++ = '\\';
-	    *dst++ = *src;
+	    *dst++ = '\\';	/* always escape */
+	    break;
+	case ' ':
+	    if (src == user || src[1] == '\0')
+		*dst++ = '\\';	/* only escape at beginning or end of string */
 	    break;
 	default:
-	    *dst++ = *src;
 	    break;
 	}
+	*dst++ = *src;
     }
     *dst = '\0';
 
diff --git a/plugins/sudoers/regress/sudoers/test2.ldif.ok b/plugins/sudoers/regress/sudoers/test2.ldif.ok
index 947148797..a9e7df921 100644
--- a/plugins/sudoers/regress/sudoers/test2.ldif.ok
+++ b/plugins/sudoers/regress/sudoers/test2.ldif.ok
@@ -45,10 +45,10 @@ sudoRunAsUser: root
 sudoCommand: ALL
 sudoOrder: 2
 
-dn: cn=foo",ou=SUDOers,dc=sudo,dc=ws
+dn: cn=foo\",ou=SUDOers,dc=sudo,dc=ws
 objectClass: top
 objectClass: sudoRole
-cn: foo"
+cn: foo\"
 sudoUser: foo"
 sudoHost: hostc
 sudoRunAsUser: root
@@ -65,10 +65,10 @@ sudoRunAsUser: root
 sudoCommand: ALL
 sudoOrder: 4
 
-dn: cn=foo:bar",ou=SUDOers,dc=sudo,dc=ws
+dn: cn=foo:bar\",ou=SUDOers,dc=sudo,dc=ws
 objectClass: top
 objectClass: sudoRole
-cn: foo:bar"
+cn: foo:bar\"
 sudoUser: foo:bar"
 sudoHost: hoste
 sudoRunAsUser: root
@@ -115,10 +115,10 @@ sudoRunAsUser: root
 sudoCommand: ALL
 sudoOrder: 9
 
-dn: cn=%:C/non"UNIX"0 c,ou=SUDOers,dc=sudo,dc=ws
+dn: cn=%:C/non\"UNIX\"0 c,ou=SUDOers,dc=sudo,dc=ws
 objectClass: top
 objectClass: sudoRole
-cn: %:C/non"UNIX"0 c
+cn: %:C/non\"UNIX\"0 c
 sudoUser: %:C/non"UNIX"0 c
 sudoHost: hoste
 sudoRunAsUser: root