From 52b25940c6a1ea1c1ba138ac378807cb8abc3c31 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 20 Jul 2017 12:02:22 -0600 Subject: [PATCH] When examining environment variables or variables passed in from the front-end, ignore variables with no value specified. --- plugins/sudoers/policy.c | 5 +++-- plugins/sudoers/sudoers.c | 21 ++++++++++++--------- plugins/sudoers/visudo.c | 5 ++++- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index f10f25afc..8c7502d92 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -82,7 +82,8 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) int flags = 0; debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN) -#define MATCHES(s, v) (strncmp(s, v, sizeof(v) - 1) == 0) +#define MATCHES(s, v) \ + (strncmp((s), (v), sizeof(v) - 1) == 0 && (s)[sizeof(v) - 1] != '\0') /* Parse sudo.conf plugin args. */ if (info->plugin_args != NULL) { @@ -389,7 +390,7 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) /* user_ttypath remains NULL */ } - if (groups != NULL && groups[0] != '\0') { + if (groups != NULL) { /* sudo_parse_gids() will print a warning on error. */ user_ngids = sudo_parse_gids(groups, &user_gid, &user_gids); if (user_ngids == -1) diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index f7f62bcda..dd187398a 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -681,27 +681,30 @@ init_vars(char * const envp[]) debug_return_bool(false); } +#define MATCHES(s, v) \ + (strncmp((s), (v), sizeof(v) - 1) == 0 && (s)[sizeof(v) - 1] != '\0') + for (ep = envp; *ep; ep++) { - /* XXX - don't fill in if empty string */ switch (**ep) { case 'K': - if (strncmp("KRB5CCNAME=", *ep, 11) == 0) - user_ccname = *ep + 11; + if (MATCHES(*ep, "KRB5CCNAME=")) + user_ccname = *ep + sizeof("KRB5CCNAME=") - 1; break; case 'P': - if (strncmp("PATH=", *ep, 5) == 0) - user_path = *ep + 5; + if (MATCHES(*ep, "PATH=")) + user_path = *ep + sizeof("PATH=") - 1; break; case 'S': - if (!user_prompt && strncmp("SUDO_PROMPT=", *ep, 12) == 0) { - user_prompt = *ep + 12; + if (!user_prompt && MATCHES(*ep, "SUDO_PROMPT=")) { + user_prompt = *ep + sizeof("SUDO_PROMPT=") - 1; def_passprompt_override = true; - } else if (strncmp("SUDO_USER=", *ep, 10) == 0) { - prev_user = *ep + 10; + } else if (MATCHES(*ep, "SUDO_USER=")) { + prev_user = *ep + sizeof("SUDO_USER=") - 1; } break; } } +#undef MATCHES /* * Get a local copy of the user's passwd struct and group list if we diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c index 20a3cd682..293530d46 100644 --- a/plugins/sudoers/visudo.c +++ b/plugins/sudoers/visudo.c @@ -1338,7 +1338,9 @@ parse_sudoers_options(void) if (info != NULL && info->options != NULL) { char * const *cur; -#define MATCHES(s, v) (strncmp(s, v, sizeof(v) - 1) == 0) +#define MATCHES(s, v) \ + (strncmp((s), (v), sizeof(v) - 1) == 0 && (s)[sizeof(v) - 1] != '\0') + for (cur = info->options; *cur != NULL; cur++) { const char *errstr, *p; id_t id; @@ -1369,6 +1371,7 @@ parse_sudoers_options(void) continue; } } +#undef MATCHES } } debug_return; -- 2.40.0