untaint problem with ActiveSupport 3.2.14 and tzinfo 1.0.1 #3

Closed
jessereynolds opened this Issue Sep 2, 2013 · 3 comments

Comments

Projects
None yet
2 participants
@jessereynolds

I'm not sure if this is an issue with tzinfo, ActiveSupport, or flapjack ... I just tried a 'bundle update' in the flapjack project (https://github.com/flpjck/flapjack) which bumped tzinfo from 0.3.37 to 1.0.1, and ActiveSupport from 3.2.12 to 3.2.14, and now flapjack crashes on startup with the message: "`untaint': can't modify frozen String".

The following lines of code:

tz_string = 'Australia/Broken_Hill'
tz = ActiveSupport::TimeZone.new(tz_string)

produces:

/Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/zoneinfo_data_source.rb:131:in `untaint': can't modify frozen String (RuntimeError)
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/zoneinfo_data_source.rb:131:in `load_timezone_info'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone.rb:97:in `get'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone_proxy.rb:80:in `real_timezone'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone_proxy.rb:52:in `period_for_utc'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/tzinfo-1.0.1/lib/tzinfo/timezone.rb:428:in `current_period'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/core_ext/object/try.rb:36:in `try'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:212:in `utc_offset'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:365:in `block in []'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:365:in `tap'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:365:in `[]'
    from /Users/jesse/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/activesupport-3.2.14/lib/active_support/values/time_zone.rb:337:in `new'
    from /Users/jesse/src/flpjck/flapjack/lib/flapjack/notifier.rb:52:in `initialize'

@jessereynolds jessereynolds referenced this issue in flapjack/flapjack Sep 2, 2013

Closed

Threading restructure #280

@jessereynolds

This comment has been minimized.

Show comment
Hide comment
@jessereynolds

jessereynolds Sep 2, 2013

Note that when I run flapjack in the foreground, it runs fine. However, if I run 'rake benchmarks:run' then the above error occurs. The benchmarks:run rake task in turn also just runs flapjack in the foreground using system().

Note that when I run flapjack in the foreground, it runs fine. However, if I run 'rake benchmarks:run' then the above error occurs. The benchmarks:run rake task in turn also just runs flapjack in the foreground using system().

@philr philr closed this in cf77be3 Sep 3, 2013

@philr

This comment has been minimized.

Show comment
Hide comment
@philr

philr Sep 3, 2013

Member

Thank you for the report. This is a bug in TZInfo >= 1.0.0 when used with the zoneinfo data source. I've fixed the issue in cf77be3. The fix will be included in the next TZInfo release.

The problem is that the identifier you are passing in (tz_string in your example) is both tainted and frozen. TZInfo was attempting to untaint the identifier, but failing to do so because it was frozen.

The Ruby data source is unaffected. If you want to use the Ruby data source, you'll need to install the tzinfo-data gem.

Member

philr commented Sep 3, 2013

Thank you for the report. This is a bug in TZInfo >= 1.0.0 when used with the zoneinfo data source. I've fixed the issue in cf77be3. The fix will be included in the next TZInfo release.

The problem is that the identifier you are passing in (tz_string in your example) is both tainted and frozen. TZInfo was attempting to untaint the identifier, but failing to do so because it was frozen.

The Ruby data source is unaffected. If you want to use the Ruby data source, you'll need to install the tzinfo-data gem.

@jessereynolds

This comment has been minimized.

Show comment
Hide comment
@jessereynolds

jessereynolds Sep 3, 2013

Ah interesting, thanks for the info and the fix! I hadn't realised the issue was limited to the zoneinfo data source.

Ah interesting, thanks for the info and the fix! I hadn't realised the issue was limited to the zoneinfo data source.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment