Wed. Aug 12th, 2020

Rails releases: web-application framework

2 min read

Rails is a web-application framework that includes everything needed to create database-backed web applications according to the Model-View-Controller (MVC) pattern.

Understanding the MVC pattern is key to understanding Rails. MVC divides your application into three layers: Model, View, and Controller, each with a specific responsibility.

Model layer

The Model layer represents the domain model (such as Account, Product, Person, Post, etc.) and encapsulates the business logic specific to your application. In Rails, database-backed model classes are derived from ActiveRecord::BaseActive Recordallows you to present the data from database rows as objects and embellish these data objects with business logic methods. Although most Rails models are backed by a database, models can also be ordinary Ruby classes, or Ruby classes that implement a set of interfaces as provided by the Active Model module.

Controller layer

The Controller layer is responsible for handling incoming HTTP requests and providing a suitable response. Usually this means returning HTML, but Rails controllers can also generate XML, JSON, PDFs, mobile-specific views, and more. Controllers load and manipulate models, and render view templates in order to generate the appropriate HTTP response. In Rails, incoming requests are routed by Action Dispatch to an appropriate controller, and controller classes are derived from ActionController::Base. Action Dispatch and Action Controller are bundled together in Action Pack.

View layer

The View layer is composed of “templates” that are responsible for providing appropriate representations of your application’s resources. Templates can come in a variety of formats, but most view templates are HTML with embedded Ruby code (ERB files). Views are typically rendered to generate a controller response, or to generate the body of an email. In Rails, View generation is handled by Action View.


Rails was released.


Active Support

  • [CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore
  • [CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore

Action View

  • [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs

Action Pack

  • [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
  • [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash

Active Storage

  • [CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct upload