untaint problem with ActiveSupport 3.2.14 and tzinfo 1.0.1

[jessereynolds]

I'm not sure if this is an issue with tzinfo, ActiveSupport, or flapjack ... I just tried a 'bundle update' in the flapjack project (https://github.com/flpjck/flapjack) which bumped tzinfo from 0.3.37 to 1.0.1, and ActiveSupport from 3.2.12 to 3.2.14, and now flapjack crashes on startup with the message: "`untaint': can't modify frozen String".

The following lines of code:

tz_string = 'Australia/Broken_Hill'
tz = ActiveSupport::TimeZone.new(tz_string)

produces:

/Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/zoneinfo_data_source.rb:131:in `untaint': can't modify frozen String (RuntimeError)
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/zoneinfo_data_source.rb:131:in `load_timezone_info'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone.rb:97:in `get'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone_proxy.rb:80:in `real_timezone'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone_proxy.rb:52:in `period_for_utc'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone.rb:428:in `current_period'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/core_ext/object/try.rb:36:in `try'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:212:in `utc_offset'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:365:in `block in []'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:365:in `tap'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:365:in `[]'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:337:in `new'
    from /Users/jesse/src/flpjck/flapjack/lib/flapjack/notifier.rb:52:in `initialize'

[jessereynolds]

Note that when I run flapjack in the foreground, it runs fine. However, if I run 'rake benchmarks:run' then the above error occurs. The benchmarks:run rake task in turn also just runs flapjack in the foreground using system().

[philr]

Thank you for the report. This is a bug in TZInfo >= 1.0.0 when used with the zoneinfo data source. I've fixed the issue in cf77be3. The fix will be included in the next TZInfo release.

The problem is that the identifier you are passing in (tz_string in your example) is both tainted and frozen. TZInfo was attempting to untaint the identifier, but failing to do so because it was frozen.

The Ruby data source is unaffected. If you want to use the Ruby data source, you'll need to install the tzinfo-data gem.

[jessereynolds]

Ah interesting, thanks for the info and the fix! I hadn't realised the issue was limited to the zoneinfo data source.