devise 3.0.4 → 3.1.0.rc2

data/{CHANGELOG.rdoc → CHANGELOG.md}

@@ -1,14 +1,25 @@
-== 3.0.4
+== 3.1.0.rc2
 
-Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
+Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
 
-* bug fix
-  * Avoid e-mail enumeration on sign in when in paranoid mode
+* backwards incompatible changes
+  * Do not store confirmation, unlock and reset password tokens directly in the database. This means tokens previously stored in the database are no longer valid. You can reenable this temporarily by setting `config.allow_insecure_tokens_lookup = true` in your configuration file. It is recommended to keep this configuration set to true just temporarily in your production servers only to aid migration
+  * The Devise mailer and its views were changed to explicitly receive a token as argument. You will need to update your mailers and re-copy the views to your application with `rails g devise:views`
+  * Sanitization of parameters should be done by calling `devise_parameter_sanitizier.sanitize(:action)` instead of `devise_parameter_sanitizier.for(:action)`
+
+* deprecations
+  * Token authentication is deprecated
 
-== 3.0.3
+* enhancements
+  * Better security defaults
+  * Allow easier customization of parameter sanitizer (by @alexpeattie)
 
 * bug fix
-  * Do not confirm account after reset password
+  * Do not confirm e-mail after password reset
+  * Do not sign in after confirmation
+  * Do not store confirmation, unlock and reset password tokens directly in the database
+  * Do not compare directly against confirmation, unlock and reset password tokens
+  * Skip storage for cookies on unverified requests
 
 == 3.0.2
 
@@ -652,7 +663,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Added Registerable
   * Added Http Basic Authentication support
   * Allow scoped_views to be customized per controller/mailer class
-  * [#99] Allow authenticatable to used in change_table statements
+  * Allow authenticatable to used in change_table statements
 
 == 0.9.2
 
@@ -792,19 +803,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Added DataMapper support
   * Remove store_location from authenticatable strategy and add it to failure app
   * Allow a strategy to be placed after authenticatable
-  * [#45] Do not rely attribute? methods, since they are not added on Datamapper
+  * Do not rely attribute? methods, since they are not added on Datamapper
 
 == 0.5.6
 
 * enhancements
-  * [#42] Do not send nil to build (DataMapper compatibility)
-  * [#44] Allow to have scoped views
+  * Do not send nil to build (DataMapper compatibility)
+  * Allow to have scoped views
 
 == 0.5.5
 
 * enhancements
   * Allow overwriting find for authentication method
-  * [#38] Remove Ruby 1.8.7 dependency
+  * Remove Ruby 1.8.7 dependency
 
 == 0.5.4
 
@@ -812,7 +823,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Deprecate :singular in devise_for and use :scope instead
 
 * enhancements
-  * [#37] Create after_sign_in_path_for and after_sign_out_path_for hooks to be
+  * Create after_sign_in_path_for and after_sign_out_path_for hooks to be
     overwriten in ApplicationController
   * Create sign_in_and_redirect and sign_out_and_redirect helpers
   * Warden::Manager.default_scope is automatically configured to the first given scope
@@ -824,7 +835,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Ensure all controllers are unloadable
 
 * enhancements
-  * [#35] Moved friendly_token to Devise
+  * Moved friendly_token to Devise
   * Added Devise.all, so you can freeze your app strategies
   * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper
     in cases you don't want it be handlded automatically
@@ -832,9 +843,9 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 == 0.5.2
 
 * enhancements
-  * [#28] Improved sign_in and sign_out helpers to accepts resources
-  * [#28] Added stored_location_for as a helper
-  * [#20] Added test helpers
+  * Improved sign_in and sign_out helpers to accepts resources
+  * Added stored_location_for as a helper
+  * Added test helpers
 
 == 0.5.1
 
@@ -855,7 +866,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 == 0.4.3
 
 * bug fix
-  * [#29] Authentication just fails if user cannot be serialized from session, without raising errors;
+  * Authentication just fails if user cannot be serialized from session, without raising errors;
   * Default configuration values should not overwrite user values;
 
 == 0.4.2
@@ -873,7 +884,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 == 0.4.1
 
 * bug fix
-  * [#21] Ensure options can be set even if models were not loaded
+  * Ensure options can be set even if models were not loaded
 
 == 0.4.0
 
@@ -884,25 +895,25 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * :authenticable calls are deprecated, use :authenticatable instead
 
 * enhancements
-  * [#16] Allow devise to be more agnostic and do not require ActiveRecord to be loaded
+  * Allow devise to be more agnostic and do not require ActiveRecord to be loaded
   * Allow Warden::Manager to be configured through Devise
   * Created a generator which creates an initializer
 
 == 0.3.0
 
 * bug fix
-  * [#15] Allow yml messages to be configured by not using engine locales
+  * Allow yml messages to be configured by not using engine locales
 
 * deprecations
   * Renamed confirm_in to confirm_within
-  * [#14] Do not send confirmation messages when user changes his e-mail
-  * [#13] Renamed authenticable to authenticatable and added deprecation warnings
+  * Do not send confirmation messages when user changes his e-mail
+  * Renamed authenticable to authenticatable and added deprecation warnings
 
 == 0.2.3
 
 * enhancements
   * Ensure fail! works inside strategies
-  * [#12] Make unauthenticated message (when you haven't signed in) different from invalid message
+  * Make unauthenticated message (when you haven't signed in) different from invalid message
 
 * bug fix
   * Do not redirect on invalid authenticate
@@ -911,7 +922,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 == 0.2.2
 
 * bug fix
-  * [#9] Fix a bug when using customized resources
+  * Fix a bug when using customized resources
 
 == 0.2.1
 
@@ -919,17 +930,17 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Clean devise_views generator to use devise existing views
 
 * enhancements
-  * [#7] Create instance variables (like @user) for each devise controller
+  * Create instance variables (like @user) for each devise controller
   * Use Devise::Controller::Helpers only internally
 
 * bug fix
-  * [#6] Fix a bug with Mongrel and Ruby 1.8.6
+  * Fix a bug with Mongrel and Ruby 1.8.6
 
 == 0.2.0
 
 * enhancements
-  * [#4] Allow option :null => true in authenticable migration
-  * [#3] Remove attr_accessible calls from devise modules
+  * Allow option :null => true in authenticable migration
+  * Remove attr_accessible calls from devise modules
   * Customizable time frame for rememberable with :remember_for config
   * Customizable time frame for confirmable with :confirm_in config
   * Generators for creating a resource and copy views
@@ -938,12 +949,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Do not load hooks or strategies if they are not used
 
 * bug fixes
-  * [#2] Fixed requiring devise strategies
+  * Fixed requiring devise strategies
 
 == 0.1.1
 
 * bug fixes
-  * [#1] Fixed requiring devise mapping
+  * Fixed requiring devise mapping
 
 == 0.1.0
 

data/Gemfile.lock

@@ -1,21 +1,22 @@
 GIT
   remote: git://github.com/mongoid/mongoid.git
-  revision: fe7f43430580860db6d1d89cea27eda24ab60ab1
+  revision: 346a79a7d01aa194de80e649916239a18d38ce13
   branch: master
   specs:
     mongoid (4.0.0)
-      activemodel (~> 4.0.0.rc1)
-      moped (~> 1.4.2)
+      activemodel (~> 4.0.0)
+      moped (~> 1.5)
       origin (~> 1.0)
       tzinfo (~> 0.3.22)
 
 PATH
   remote: .
   specs:
-    devise (3.0.4)
+    devise (3.1.0.rc2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
+      thread_safe (~> 0.1)
       warden (~> 1.2.3)
 
 GEM
@@ -46,17 +47,17 @@ GEM
       thread_safe (~> 0.1)
       tzinfo (~> 0.3.37)
     arel (4.0.0)
-    atomic (1.1.10)
-    bcrypt-ruby (3.1.2)
+    atomic (1.1.12)
+    bcrypt-ruby (3.1.1)
     builder (3.1.4)
     erubis (2.7.0)
-    faraday (0.8.7)
-      multipart-post (~> 1.1)
+    faraday (0.8.8)
+      multipart-post (~> 1.2.0)
     hashie (1.2.0)
     hike (1.2.3)
     httpauth (0.2.0)
-    i18n (0.6.4)
-    json (1.7.7)
+    i18n (0.6.5)
+    json (1.8.0)
     jwt (0.1.8)
       multi_json (>= 1.5)
     mail (2.5.4)
@@ -67,8 +68,8 @@ GEM
     minitest (4.7.5)
     mocha (0.13.3)
       metaclass (~> 0.0.1)
-    moped (1.4.5)
-    multi_json (1.7.7)
+    moped (1.5.1)
+    multi_json (1.7.9)
     multipart-post (1.2.0)
     nokogiri (1.5.9)
     oauth2 (0.8.1)
@@ -125,7 +126,7 @@ GEM
       sprockets (~> 2.8)
     sqlite3 (1.3.7)
     thor (0.18.1)
-    thread_safe (0.1.0)
+    thread_safe (0.1.2)
       atomic
     tilt (1.4.1)
     treetop (1.4.14)

data/README.md

@@ -15,10 +15,9 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Allows you to have multiple models signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
-It's composed of 11 modules:
+It's composed of 10 modules:
 
 * [Database Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
-* [Token Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/TokenAuthenticatable): signs in a user based on an authentication token (also known as "single access token"). The token can be given both through query string or HTTP Basic Authentication.
 * [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds Omniauth (https://github.com/intridea/omniauth) support;
 * [Confirmable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
 * [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
@@ -188,7 +187,7 @@ There are just three actions in Devise that allows any set of parameters to be p
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
 * `account_update` (`Devise::RegistrationsController#update`) - Permits authentication keys plus `password`, `password_confirmation` and `current_password`
 
-In case you want to customize the permitted parameters (the lazy way™) you can do with a simple before filter in your `ApplicationController`:
+In case you want to permit additional parameters (the lazy way™) you can do with a simple before filter in your `ApplicationController`:
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -197,11 +196,19 @@ class ApplicationController < ActionController::Base
   protected
 
   def configure_permitted_parameters
-    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email) }
+    devise_parameter_sanitizer.for(:sign_up) << :username
   end
 end
 ```
 
+To completely change Devise defaults or invoke custom behaviour, you can also pass a block:
+
+```ruby
+def configure_permitted_parameters
+  devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email) }
+end
+```
+
 If you have multiple Devise models, you may want to set up different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
 
 ```ruby
@@ -252,7 +259,7 @@ rails generate devise:views users
 
 If the customization at the views level is not enough, you can customize each controller by following these steps:
 
-1. Create your custom controller, for example a `Admins::SessionsController`:  
+1. Create your custom controller, for example a `Admins::SessionsController`:
 
     ```ruby
     class Admins::SessionsController < Devise::SessionsController
@@ -441,12 +448,6 @@ We have a long list of valued contributors. Check them all at:
 
 https://github.com/plataformatec/devise/contributors
 
-### Maintainers
-
-* José Valim (https://github.com/josevalim)
-* Carlos Antônio da Silva (https://github.com/carlosantoniodasilva)
-* Rodrigo Flores (https://github.com/rodrigoflores)
-
 ## License
 
 MIT License. Copyright 2009-2013 Plataformatec. http://plataformatec.com.br

data/app/controllers/devise/confirmations_controller.rb

@@ -21,7 +21,7 @@ class Devise::ConfirmationsController < DeviseController
 
     if resource.errors.empty?
       set_flash_message(:notice, :confirmed) if is_navigational_format?
-      sign_in(resource_name, resource)
+      sign_in(resource_name, resource) if Devise.allow_insecure_sign_in_after_confirmation
       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
@@ -37,6 +37,10 @@ class Devise::ConfirmationsController < DeviseController
 
     # The path used after confirmation.
     def after_confirmation_path_for(resource_name, resource)
-      after_sign_in_path_for(resource)
+      if Devise.allow_insecure_sign_in_after_confirmation
+        after_sign_in_path_for(resource)
+      else
+        new_session_path(resource_name)
+      end
     end
 end

data/app/controllers/devise/registrations_controller.rb

@@ -117,10 +117,10 @@ class Devise::RegistrationsController < DeviseController
   end
 
   def sign_up_params
-    devise_parameter_sanitizer.for(:sign_up)
+    devise_parameter_sanitizer.sanitize(:sign_up)
   end
 
   def account_update_params
-    devise_parameter_sanitizer.for(:account_update)
+    devise_parameter_sanitizer.sanitize(:account_update)
   end
 end

data/app/controllers/devise/sessions_controller.rb

@@ -35,7 +35,7 @@ class Devise::SessionsController < DeviseController
   protected
 
   def sign_in_params
-    devise_parameter_sanitizer.for(:sign_in)
+    devise_parameter_sanitizer.sanitize(:sign_in)
   end
 
   def serialize_options(resource)

data/app/mailers/devise/mailer.rb

@@ -1,15 +1,18 @@
 class Devise::Mailer < Devise.parent_mailer.constantize
   include Devise::Mailers::Helpers
 
-  def confirmation_instructions(record, opts={})
+  def confirmation_instructions(record, token, opts={})
+    @token = token
     devise_mail(record, :confirmation_instructions, opts)
   end
 
-  def reset_password_instructions(record, opts={})
+  def reset_password_instructions(record, token, opts={})
+    @token = token
     devise_mail(record, :reset_password_instructions, opts)
   end
 
-  def unlock_instructions(record, opts={})
+  def unlock_instructions(record, token, opts={})
+    @token = token
     devise_mail(record, :unlock_instructions, opts)
   end
 end

data/app/views/devise/mailer/confirmation_instructions.html.erb

@@ -2,4 +2,4 @@
 
 <p>You can confirm your account email through the link below:</p>
 
-<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %></p>
+<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @token) %></p>

data/app/views/devise/mailer/reset_password_instructions.html.erb

@@ -2,7 +2,7 @@
 
 <p>Someone has requested a link to change your password. You can do this through the link below.</p>
 
-<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %></p>
+<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @token) %></p>
 
 <p>If you didn't request this, please ignore this email.</p>
 <p>Your password won't change until you access the link above and create a new one.</p>

data/app/views/devise/mailer/unlock_instructions.html.erb

@@ -4,4 +4,4 @@
 
 <p>Click the link below to unlock your account:</p>
 
-<p><%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %></p>
+<p><%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @token) %></p>

data/app/views/devise/shared/_links.erb

@@ -6,7 +6,7 @@
   <%= link_to "Sign up", new_registration_path(resource_name) %><br />
 <% end -%>
 
-<%- if devise_mapping.recoverable? && controller_name != 'passwords' %>
+<%- if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations' %>
   <%= link_to "Forgot your password?", new_password_path(resource_name) %><br />
 <% end -%>
 
@@ -22,4 +22,4 @@
   <%- resource_class.omniauth_providers.each do |provider| %>
     <%= link_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider) %><br />
   <% end -%>
-<% end -%>
+<% end -%>

data/config/locales/en.yml

@@ -8,12 +8,12 @@ en:
       send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
     failure:
       already_authenticated: "You are already signed in."
-      inactive: "Your account was not activated yet."
+      inactive: "Your account is not activated yet."
       invalid: "Invalid email or password."
       invalid_token: "Invalid authentication token."
       locked: "Your account is locked."
       not_found_in_database: "Invalid email or password."
-      timeout: "Your session expired, please sign in again to continue."
+      timeout: "Your session expired. Please sign in again to continue."
       unauthenticated: "You need to sign in or sign up before continuing."
       unconfirmed: "You have to confirm your account before continuing."
     mailer:

data/devise.gemspec

@@ -22,5 +22,6 @@ Gem::Specification.new do |s|
   s.add_dependency("warden", "~> 1.2.3")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt-ruby", "~> 3.0")
+  s.add_dependency("thread_safe", "~> 0.1")
   s.add_dependency("railties", ">= 3.2.6", "< 5")
 end

data/gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,21 +1,22 @@
 PATH
   remote: ..
   specs:
-    devise (3.0.4)
+    devise (3.1.0.rc2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
+      thread_safe (~> 0.1)
       warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.2.13)
-      actionpack (= 3.2.13)
-      mail (~> 2.5.3)
-    actionpack (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
+    actionmailer (3.2.14)
+      actionpack (= 3.2.14)
+      mail (~> 2.5.4)
+    actionpack (3.2.14)
+      activemodel (= 3.2.14)
+      activesupport (= 3.2.14)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
@@ -23,49 +24,49 @@ GEM
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.2.1)
-    activemodel (3.2.13)
-      activesupport (= 3.2.13)
+    activemodel (3.2.14)
+      activesupport (= 3.2.14)
       builder (~> 3.0.0)
-    activerecord (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
+    activerecord (3.2.14)
+      activemodel (= 3.2.14)
+      activesupport (= 3.2.14)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-    activesupport (3.2.13)
-      i18n (= 0.6.1)
+    activeresource (3.2.14)
+      activemodel (= 3.2.14)
+      activesupport (= 3.2.14)
+    activesupport (3.2.14)
+      i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.2)
-    bcrypt-ruby (3.1.2)
+    atomic (1.1.13)
+    bcrypt-ruby (3.1.1)
     builder (3.0.4)
     erubis (2.7.0)
-    faraday (0.8.7)
-      multipart-post (~> 1.1)
+    faraday (0.8.8)
+      multipart-post (~> 1.2.0)
     hashie (1.2.0)
-    hike (1.2.2)
+    hike (1.2.3)
     httpauth (0.2.0)
-    i18n (0.6.1)
+    i18n (0.6.5)
     journey (1.0.4)
-    json (1.7.7)
+    json (1.8.0)
     jwt (0.1.8)
       multi_json (>= 1.5)
-    mail (2.5.3)
-      i18n (>= 0.4.0)
+    mail (2.5.4)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.1)
     mime-types (1.23)
     mocha (0.13.3)
       metaclass (~> 0.0.1)
-    mongoid (3.1.3)
+    mongoid (3.1.4)
       activemodel (~> 3.2)
-      moped (~> 1.4.2)
+      moped (~> 1.4)
       origin (~> 1.0)
       tzinfo (~> 0.3.22)
-    moped (1.4.5)
-    multi_json (1.7.3)
+    moped (1.5.1)
+    multi_json (1.7.9)
     multipart-post (1.2.0)
     nokogiri (1.5.9)
     oauth2 (0.8.1)
@@ -98,22 +99,22 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.2.13)
-      actionmailer (= 3.2.13)
-      actionpack (= 3.2.13)
-      activerecord (= 3.2.13)
-      activeresource (= 3.2.13)
-      activesupport (= 3.2.13)
+    rails (3.2.14)
+      actionmailer (= 3.2.14)
+      actionpack (= 3.2.14)
+      activerecord (= 3.2.14)
+      activeresource (= 3.2.14)
+      activesupport (= 3.2.14)
       bundler (~> 1.0)
-      railties (= 3.2.13)
-    railties (3.2.13)
-      actionpack (= 3.2.13)
-      activesupport (= 3.2.13)
+      railties (= 3.2.14)
+    railties (3.2.14)
+      actionpack (= 3.2.14)
+      activesupport (= 3.2.14)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (>= 0.14.6, < 2.0)
-    rake (10.0.4)
+    rake (10.1.0)
     rdoc (3.12.2)
       json (~> 1.4)
     ruby-openid (2.2.3)
@@ -124,8 +125,10 @@ GEM
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.7)
     thor (0.18.1)
-    tilt (1.4.0)
-    treetop (1.4.12)
+    thread_safe (0.1.2)
+      atomic
+    tilt (1.4.1)
+    treetop (1.4.14)
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.37)