Replace 'Marshal' with JSON serialiser

[koenrh]

The use of Marshal.load poses a security risk. It could lead to remote code execution when loading untrusted data. I don't think it is not beyond the realm of possibilities that for some reason some program or piece of code manages to update data stored at 'object-cache'-defined keys, which in turn is deserialised by 'object-cache' (and thus Marshal.load).

As far as I can tell this library only supports the serialisation and deserialisation of simple types, which means it is probably as easy as replacing Marshal with a JSON serialiser?

[koenrh]

A similar vulnerability was found in 'redis-store'. It was assigned CVE-2017-1000248. They solved it by adding support for pluggable serialisers (and eventually removing support for 'Marshaller'). See: redis-store/redis-store#290

cc @JeanMertz @jurriaan