The use of Marshal.load poses a security risk. It could lead to remote code execution when loading untrusted data. I don't think it is not beyond the realm of possibilities that for some reason some program or piece of code manages to update data stored at 'object-cache'-defined keys, which in turn is deserialised by 'object-cache' (and thus Marshal.load).
As far as I can tell this library only supports the serialisation and deserialisation of simple types, which means it is probably as easy as replacing Marshal with a JSON serialiser?
The use of
Marshal.loadposes a security risk. It could lead to remote code execution when loading untrusted data. I don't think it is not beyond the realm of possibilities that for some reason some program or piece of code manages to update data stored at 'object-cache'-defined keys, which in turn is deserialised by 'object-cache' (and thusMarshal.load).As far as I can tell this library only supports the serialisation and deserialisation of simple types, which means it is probably as easy as replacing Marshal with a JSON serialiser?