From 62b436be081588ca1836acfc68ed76bc93601e25 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jbjohnso@us.ibm.com>
Date: Fri, 11 Oct 2013 15:57:29 -0400
Subject: [PATCH] Disable storable encoding for client

Clever things can live in Storable payloads that can essentially be remote execution.
Disable that for now.
---
 perl-xCAT/xCAT/Client.pm | 11 +++++++----
 xCAT-server/sbin/xcatd   | 20 +++++++++++---------
 2 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/perl-xCAT/xCAT/Client.pm b/perl-xCAT/xCAT/Client.pm
index 5f2ac75bb..0599b5c3c 100644
--- a/perl-xCAT/xCAT/Client.pm
+++ b/perl-xCAT/xCAT/Client.pm
@@ -261,11 +261,14 @@ if (ref($request) eq 'HASH') { # the request is an array, not pure XML
   }
 
   my $msg;
-  my $encode = "storable";
-  my $straightprint=0;
-  if ($ENV{XCATXMLTRACE} or $ENV{XCATXMLWARNING}) { $encode="xml"; }
+  my $encode = "xml";
+  #storable encoding is unsafe, carry on with the unsafe xml scheme
+  #perhaps one day will support faster schemes
+  #my $encode = "storable";
+  #my $straightprint=0;
+  #if ($ENV{XCATXMLTRACE} or $ENV{XCATXMLWARNING}) { $encode="xml"; }
   if (ref($request) eq 'HASH') { # the request is an array, not pure XML
-    print $client "xcatencoding: $encode\n";
+    #print $client "xcatencoding: $encode\n";
     my $encok=<$client>;
     send_request($request,$client,$encode);
   } else { #XML
diff --git a/xCAT-server/sbin/xcatd b/xCAT-server/sbin/xcatd
index fc491b881..fc5657c35 100755
--- a/xCAT-server/sbin/xcatd
+++ b/xCAT-server/sbin/xcatd
@@ -2055,15 +2055,17 @@ sub service_connection {
     while (1) {
       unless ($clientsel->can_read(15)) { last; } #don't let an unresponsive client hold us up
       my $line = <$sock>; # grab one line, check for mode...
-      if ($line and $line =~ /^xcatencoding: (.*)/) {
-        unless ($supported_encodes{$1}) {
-            print $sock "Unsupported encoding $1\n";
-            last;
-        }
-        print $sock "Encoding accepted\n";
-        $globalencode=$1;
-        $line = "";
-      }
+      #Commenting out, could be a remote exceution path
+      #consider sereal one day
+      #if ($line and $line =~ /^xcatencoding: (.*)/) {
+      #  unless ($supported_encodes{$1}) {
+      #      print $sock "Unsupported encoding $1\n";
+      #      last;
+      #  }
+      #  print $sock "Encoding accepted\n";
+      #  $globalencode=$1;
+      #  $line = "";
+      #}
       $req = get_request($sock,$globalencode,$line);
       unless ($req) { last; }
       { #TODO: find closing brace..