top | item 32190846

(no title)

zzem | 3 years ago

For everyone who is panicking about this - to be affected, you either need to use a really old version of tzinfo (0.3.60 and earlier), have the tzinfo-data gem installed, or explicitly set TZInfo::DataSource to DataSources::RubyDataSource.

Otherwise, by default, tzinfo will use TZInfo::ZoneinfoDataSource, which does not seem to be affected.

https://github.com/tzinfo/tzinfo/blob/d9b289e1be30d29a2cb23b...

https://github.com/tzinfo/tzinfo/commit/b98c32efd61289fe6f00...

discuss

reyno|3 years ago

Versions 1.0.0 up to 1.2.9 are also vulnerable, not just the 0.x branch.

Edit: misread your comment, 1.x is vulnerable only if you have the tzinfo-data gem installed, or explicitly set TZInfo::DataSource to DataSources::RubyDataSource as you stated.