I thought Marshal and non-safe yaml are fundamentally unsafe. You’re allowing input to instantiate arbitrary objects. It’s relatively easy to find an exploitable class.
Python’s pickle function is equivalent and has a warning about this.
I very vaguely recall that the format works across machines (and it was used in old versions of RPGMaker)? Looks like it's actually documented now, since https://docs.ruby-lang.org/en/2.1.0/marshal_rdoc.html has a description.
As a general rule they will work anywhere, as long as the major version of the Marshal format is the same, and this hasn’t changed since Ruby 1.8. I expect if it ever did change (I can’t see any reason for it to ever do so though) there would probably be some sort of backwards compatibility available, as the Ruby community really hates making breaking changes between language versions, especially without offering some kind of relatively easy solution for making older code work.
kayodelycaon|6 months ago
Python’s pickle function is equivalent and has a warning about this.
Alifatisk|6 months ago
mook|6 months ago
zoky|6 months ago