I thought Marshal and non-safe yaml are fundamentally unsafe. You’re allowing input to instantiate arbitrary objects. It’s relatively easy to find an exploitable class.
Python’s pickle function is equivalent and has a warning about this.
I very vaguely recall that the format works across machines (and it was used in old versions of RPGMaker)? Looks like it's actually documented now, since https://docs.ruby-lang.org/en/2.1.0/marshal_rdoc.html has a description.
As a general rule they will work anywhere, as long as the major version of the Marshal format is the same, and this hasn’t changed since Ruby 1.8. I expect if it ever did change (I can’t see any reason for it to ever do so though) there would probably be some sort of backwards compatibility available, as the Ruby community really hates making breaking changes between language versions, especially without offering some kind of relatively easy solution for making older code work.
I thought Marshal and non-safe yaml are fundamentally unsafe. You’re allowing input to instantiate arbitrary objects. It’s relatively easy to find an exploitable class.
Python’s pickle function is equivalent and has a warning about this.
Does Marshal dumps work across different computers or is it only compitable with the same computer that dumped the Marshal?
I very vaguely recall that the format works across machines (and it was used in old versions of RPGMaker)? Looks like it's actually documented now, since https://docs.ruby-lang.org/en/2.1.0/marshal_rdoc.html has a description.
As a general rule they will work anywhere, as long as the major version of the Marshal format is the same, and this hasn’t changed since Ruby 1.8. I expect if it ever did change (I can’t see any reason for it to ever do so though) there would probably be some sort of backwards compatibility available, as the Ruby community really hates making breaking changes between language versions, especially without offering some kind of relatively easy solution for making older code work.