From ea85db3ecd40d119d8434a0b45a7d201256e71e3 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 7 Jul 2015 10:58:05 -0600
Subject: [PATCH] Add support for parsing quoted strings in a sudoOption just
 like sudoers Defaults settings.

---
 plugins/sudoers/ldap.c | 19 ++++++++++++++-----
 plugins/sudoers/sssd.c | 20 ++++++++++++++------
 2 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 887092a3b..9addea4f7 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -1046,7 +1046,8 @@ static bool
 sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry)
 {
     struct berval **bv, **p;
-    char op, *var, *val;
+    char *var, *val;
+    int op;
     bool rc = false;
     debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP)
 
@@ -1066,15 +1067,23 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry)
 	val = strchr(var, '=');
 	if (val > var) {
 	    *val++ = '\0';	/* split on = and truncate var */
-	    op = *(val - 2);	/* peek for += or -= cases */
+	    op = val[-2];	/* peek for += or -= cases */
 	    if (op == '+' || op == '-') {
-		*(val - 2) = '\0';	/* found, remove extra char */
 		/* case var+=val or var-=val */
-		set_default(var, val, (int) op);
+		val[-2] = '\0';	/* remove extra + or - char */
 	    } else {
 		/* case var=val */
-		set_default(var, val, true);
+		op = true;
 	    }
+	    /* Strip double quotes if present. */
+	    if (*val == '"') {
+		char *ep = val + strlen(val);
+		if (ep != val && ep[-1] == '"') {
+		    val++;
+		    ep[-1] = '\0';
+		}
+	    }
+	    set_default(var, val, op);
 	} else if (*var == '!') {
 	    /* case !var Boolean False */
 	    set_default(var + 1, NULL, false);
diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 10234ed6b..7e6f4fc50 100644
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -1021,9 +1021,9 @@ sudo_sss_check_command(struct sudo_sss_handle *handle,
 static bool
 sudo_sss_parse_options(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 {
-    int i;
+    int i, op;
     bool ret = false;
-    char op, *v, *val;
+    char *v, *val;
     char **val_array = NULL;
     debug_decl(sudo_sss_parse_options, SUDOERS_DEBUG_SSSD);
 
@@ -1054,15 +1054,23 @@ sudo_sss_parse_options(struct sudo_sss_handle *handle, struct sss_sudo_rule *rul
 	val = strchr(v, '=');
 	if (val > v) {
 	    *val++ = '\0';	/* split on = and truncate var */
-	    op = *(val - 2);	/* peek for += or -= cases */
+	    op = val[-2];	/* peek for += or -= cases */
 	    if (op == '+' || op == '-') {
-		*(val - 2) = '\0';	/* found, remove extra char */
 		/* case var+=val or var-=val */
-		set_default(v, val, (int) op);
+		val[-2] = '\0';	/* remove extra + or - char */
 	    } else {
 		/* case var=val */
-		set_default(v, val, true);
+		op = true;
+	    }
+	    /* Strip double quotes if present. */
+	    if (*val == '"') {
+		char *ep = val + strlen(val);
+		if (ep != val && ep[-1] == '"') {
+		    val++;
+		    ep[-1] = '\0';
+		}
 	    }
+	    set_default(v, val, op);
 	} else if (*v == '!') {
 	    /* case !var Boolean False */
 	    set_default(v + 1, NULL, false);
-- 
2.50.1