Replace marshalling with serialization
Due to concerns over a possible vulnerability (should someone obtain write access to the Redis database the application is using) related to marshalling in #289 , we've replaced the Marshalling
feature with Serialization
, allowing the user to specify their own serializer responding to the .dump
and .load
methods. This is similar to how Dalli works.
Using an alternative serializer like YAML
or JSON
means if your Redis server becomes compromised in any way, the compromise cannot affect your running app. However, not all objects serialize cleanly to YAML and/or JSON. In order to achieve backwards compatibility, we have supplied Marshal
as the default serializer object, and released a minor version of this gem. All recent versions of redis-store gems (like redis-activesupport
and redis-actionpack
) that depend on this gem allow for redis-store
up to but not including 2.0.0, so to get this version you can run:
bundle update redis-store
A CVE has been filed, CVE-2017-1000248, so that this issue is easier to refer to.