Fix evaluation of a tuple used in "true" boolean context.

millert · millert · commit ae7dc397b480 · 2023-12-15T14:57:59.000-07:00
Previously, a tuple in boolean context was always treated as a
negated entry, which doesn't match the documentation.  We assume
that there are at least two tuple entries where the first maps to
boolean false and the second maps to boolean true.

--HG--
branch : 1.9
diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
@@ -67,7 +67,7 @@ static int  store_str(const char *str, struct sudo_defs_types *def);
 static bool store_syslogfac(const char *str, struct sudo_defs_types *def);
 static bool store_syslogpri(const char *str, struct sudo_defs_types *def);
 static bool store_timeout(const char *str, struct sudo_defs_types *def);
-static bool store_tuple(const char *str, struct sudo_defs_types *def);
+static bool store_tuple(const char *str, struct sudo_defs_types *def, int op);
 static bool store_uint(const char *str, struct sudo_defs_types *def);
 static bool store_timespec(const char *str, struct sudo_defs_types *def);
 static bool store_rlimit(const char *str, struct sudo_defs_types *def);
@@ -303,7 +303,7 @@ parse_default_entry(const struct sudoers_context *ctx,
 	    rc = store_timeout(val, def);
 	    break;
 	case T_TUPLE:
-	    rc = store_tuple(val, def);
+	    rc = store_tuple(val, def, op);
 	    break;
 	case T_TIMESPEC:
 	    rc = store_timespec(val, def);
@@ -593,8 +593,8 @@ init_defaults(void)
 #endif
 
     /* Password flags also have a string and integer component. */
-    (void) store_tuple("any", &sudo_defs_table[I_LISTPW]);
-    (void) store_tuple("all", &sudo_defs_table[I_VERIFYPW]);
+    (void) store_tuple("any", &sudo_defs_table[I_LISTPW], 0);
+    (void) store_tuple("all", &sudo_defs_table[I_VERIFYPW], 0);
 
     /* Then initialize the int-like things. */
 #ifdef SUDO_UMASK
@@ -1013,18 +1013,28 @@ store_timespec(const char *str, struct sudo_defs_types *def)
 }
 
 static bool
-store_tuple(const char *str, struct sudo_defs_types *def)
+store_tuple(const char *str, struct sudo_defs_types *def, int op)
 {
     struct def_values *v;
     debug_decl(store_tuple, SUDOERS_DEBUG_DEFAULTS);
 
     /*
      * Look up tuple value by name to find enum def_tuple value.
-     * For negation to work the first element of enum def_tuple
-     * must be equivalent to boolean false.
+     * A tuple must have at least two possible values.
      */
     if (str == NULL) {
-	def->sd_un.ival = 0;
+	/*
+	 * Boolean context: true maps to values[1], false maps to values[0].
+	 */
+	if (op == true) {
+	    v = &def->values[1];
+	    def->sd_un.ival = v->nval;
+	} else if (op == false) {
+	    v = &def->values[0];
+	    def->sd_un.ival = v->nval;
+	} else {
+	    debug_return_bool(false);
+	}
     } else {
 	for (v = def->values; v->sval != NULL; v++) {
 	    if (strcmp(v->sval, str) == 0) {
