From d437fdc0d049489ed30aba904ffe0fd78719b8c5 Mon Sep 17 00:00:00 2001
From: Marc Schoolderman <marc@tweedegolf.com>
Date: Tue, 25 Nov 2025 17:30:02 +0100
Subject: [PATCH 1/2] add compliance tests for regexes

---
 test-framework/sudo-compliance-tests/src/sudo/sudoers.rs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/test-framework/sudo-compliance-tests/src/sudo/sudoers.rs b/test-framework/sudo-compliance-tests/src/sudo/sudoers.rs
index 8895db9b2..14a240070 100644
--- a/test-framework/sudo-compliance-tests/src/sudo/sudoers.rs
+++ b/test-framework/sudo-compliance-tests/src/sudo/sudoers.rs
@@ -212,3 +212,12 @@ fn negated_defaults_errors() {
     };
     assert_contains!(output.stderr(), diagnostic2);
 }
+
+#[test]
+fn regex_not_interpreted_literally() {
+    let env = Env("ALL ALL=(ALL:ALL) NOPASSWD: /bin/echo ^huk$").build();
+
+    let output = Command::new("sudo").args(["echo", "^huk$"]).output(&env);
+
+    output.assert_exit_code(1);
+}

From cf833b39e9055c7ef7ca7208a823c40b2a3f3ecf Mon Sep 17 00:00:00 2001
From: Marc Schoolderman <marc@tweedegolf.com>
Date: Tue, 25 Nov 2025 17:33:21 +0100
Subject: [PATCH 2/2] recognize the ^...$ syntax introduced by recent ogsudo
 and give an error message

---
 src/sudoers/tokens.rs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/sudoers/tokens.rs b/src/sudoers/tokens.rs
index f3a148d75..42ef6fdc6 100644
--- a/src/sudoers/tokens.rs
+++ b/src/sudoers/tokens.rs
@@ -185,7 +185,13 @@ impl Token for Command {
             // if no arguments are mentioned, anything is allowed
             None
         } else {
-            if args.last().map(|x| -> &str { x }) == Some("\"\"") {
+            if args.first().is_some_and(|x| x.starts_with('^')) {
+                // regular expressions are not supported, give an error message. If there is only a
+                // terminating '$', this is not treated as a malformed regex by millersudo, so we don't
+                // need to seperately check for that
+                return Err("regular expressions are not supported".to_string());
+            }
+            if args.last().is_some_and(|x| x == "\"\"") {
                 // if the magic "" appears, no (further) arguments are allowed
                 args.pop();
             }
@@ -227,6 +233,8 @@ impl Token for SimpleCommand {
             return cvt_err(glob::Pattern::new(&cmd));
         } else if cmd.starts_with("sha") {
             return Err("digest specifications are not supported".to_string());
+        } else if cmd.starts_with('^') {
+            return Err("regular expressions are not supported".to_string());
         } else if !cmd.starts_with('/') {
             return Err("fully qualified path needed".to_string());
         }