untaint problem with ActiveSupport 3.2.14 and tzinfo 1.0.1 #3

jessereynolds opened this Issue Sep 2, 2013 · 3 comments


None yet

2 participants


I'm not sure if this is an issue with tzinfo, ActiveSupport, or flapjack ... I just tried a 'bundle update' in the flapjack project (https://github.com/flpjck/flapjack) which bumped tzinfo from 0.3.37 to 1.0.1, and ActiveSupport from 3.2.12 to 3.2.14, and now flapjack crashes on startup with the message: "`untaint': can't modify frozen String".

The following lines of code:

tz_string = 'Australia/Broken_Hill'
tz = ActiveSupport::TimeZone.new(tz_string)


/Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/zoneinfo_data_source.rb:131:in `untaint': can't modify frozen String (RuntimeError)
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/zoneinfo_data_source.rb:131:in `load_timezone_info'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone.rb:97:in `get'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone_proxy.rb:80:in `real_timezone'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone_proxy.rb:52:in `period_for_utc'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone.rb:428:in `current_period'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/core_ext/object/try.rb:36:in `try'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:212:in `utc_offset'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:365:in `block in []'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:365:in `tap'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:365:in `[]'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:337:in `new'
    from /Users/jesse/src/flpjck/flapjack/lib/flapjack/notifier.rb:52:in `initialize'
@jessereynolds jessereynolds referenced this issue in flapjack/flapjack Sep 2, 2013

Threading restructure #280


Note that when I run flapjack in the foreground, it runs fine. However, if I run 'rake benchmarks:run' then the above error occurs. The benchmarks:run rake task in turn also just runs flapjack in the foreground using system().

@philr philr added a commit that closed this issue Sep 3, 2013
@philr philr Fix ZoneinfoDataSource with Strings that are tainted and frozen.
Untaint the result of joining the identifier with the path instead of
the identifier itself. If identifier is tainted and frozen, then
untainting it directly will give a 'can't modify frozen String' error.
Fixes #3.
@philr philr closed this in cf77be3 Sep 3, 2013
philr commented Sep 3, 2013

Thank you for the report. This is a bug in TZInfo >= 1.0.0 when used with the zoneinfo data source. I've fixed the issue in cf77be3. The fix will be included in the next TZInfo release.

The problem is that the identifier you are passing in (tz_string in your example) is both tainted and frozen. TZInfo was attempting to untaint the identifier, but failing to do so because it was frozen.

The Ruby data source is unaffected. If you want to use the Ruby data source, you'll need to install the tzinfo-data gem.


Ah interesting, thanks for the info and the fix! I hadn't realised the issue was limited to the zoneinfo data source.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment