Add bracket expressions to `wildcard_match`

[squell]

Describe the feature you'd like see implemented in sudo-rs
Add limited expression-style bracket expressions (e.g. "[a-z]") to https://github.com/trifectatechfoundation/sudo-rs/blob/main/src/sudo/env/wildcard_match.rs. This includes exclusion patterns such as [^a-z] and [!a-z].

What problem can be solved with this feature?
This function is used for environment filtering (env_keep). Right now this function only supports * wildcards, but I can see the use case for writing something like

Defaults env_keep += "PS[1234]"

instead of

Defaults env_keep += "PS*"

or

Defaults env_keep += "PS1 PS2 PS3 PS4"

Additional context
Having brackets here might also allow using this function for wildcard matching in the sudoers module as a replacement for our current dependency on glob crate. This crate seems to have maintenance issues (and might even panic in some circumstances if some options are enabled). Or to be blunt, is appears to be unmaintained. A PR fixing exclusion patterns we would like to see merged has been languishing there without any response from a maintainer for a long time.

Also having one less dependency would be cool.

[noahboa27]

Hello @squell! With your blessing, I would like to work on this to get my feet wet with this project.

[squell]

I don't think my blessing will help :-) But you're free to shoot in a PR; we won't be working on it in the coming couple of weeks.

Note that this issue isn't solely about the wildcard match in env vars, for removing glob I'll open another issue when we're happy with the solution to this issue. (E.g. we removing glob also needs to take into account #834)

[squell]

After some thoughts:

Globbing is hard to get right, see for example:

• https://www.cvedetails.com/cve/CVE-2015-8984/ bug in glibc
• https://www.openwall.com/lists/musl/2025/10/08/1 very recent bug in musl's fnmatch
• Glob panicked because of an out-of-bounds error on the pattern rust-lang/glob#134 panic in Rust's glob
• Avoid unwrap() if non UTF-8 in the require_literal_leading_dot flow rust-lang/glob#162 reachable unwrap() in Rust's glob when require_leading_dot is on

We could decide to try it ourselves, but then we're likely to step into some of the same dog poo as the above folks; and if we succeed, then we wouldn't we make our fnmatch available to others? What makes it unique to sudo-rs? So it makes less sense to follow the "let's do it ourselves" route that I imagine we started with this issue.

For the same reason, let's perhaps not do that, and that also means I'm less eager to want to see bracket patterns--the proof of concept submitted by @noahboa27 shows that there are a lot of things to think about with them.