| ▲ | Marshal madness: A brief history of Ruby deserialization exploits(blog.trailofbits.com) |
| 25 points by pentestercrab 6 days ago | 4 comments |
| |
|
| ▲ | kayodelycaon 2 days ago | parent | next [-] |
| I thought Marshal and non-safe yaml are fundamentally unsafe. You’re allowing input to instantiate arbitrary objects. It’s relatively easy to find an exploitable class. Python’s pickle function is equivalent and has a warning about this. |
|
| ▲ | Alifatisk 2 days ago | parent | prev [-] |
| Does Marshal dumps work across different computers or is it only compitable with the same computer that dumped the Marshal? |
| |
| ▲ | mook 2 days ago | parent | next [-] | | I very vaguely recall that the format works across machines (and it was used in old versions of RPGMaker)? Looks like it's actually documented now, since https://docs.ruby-lang.org/en/2.1.0/marshal_rdoc.html has a description. | |
| ▲ | zoky 2 days ago | parent | prev [-] | | As a general rule they will work anywhere, as long as the major version of the Marshal format is the same, and this hasn’t changed since Ruby 1.8. I expect if it ever did change (I can’t see any reason for it to ever do so though) there would probably be some sort of backwards compatibility available, as the Ruby community really hates making breaking changes between language versions, especially without offering some kind of relatively easy solution for making older code work. |
|
