From: Mikael Nordfeldth <mmn@hethane.se>
Date: Tue, 3 Jun 2014 10:51:52 +0000 (+0200)
Subject: Default of Magicsig keypair toString should be secure
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=aaef11077d6e79f2cb843fd7e27d74336eb1476d;p=quix0rs-gnu-social.git

Default of Magicsig keypair toString should be secure

Prevent crappy coders from leaking private keys.
---

diff --git a/plugins/OStatus/OStatusPlugin.php b/plugins/OStatus/OStatusPlugin.php
index 704b457272..42ee9a43ef 100644
--- a/plugins/OStatus/OStatusPlugin.php
+++ b/plugins/OStatus/OStatusPlugin.php
@@ -1349,7 +1349,7 @@ class OStatusPlugin extends Plugin
 
         if ($magicsig instanceof Magicsig) {
             $xrd->links[] = new XML_XRD_Element_Link(Magicsig::PUBLICKEYREL,
-                                'data:application/magic-public-key,'. $magicsig->toString(false));
+                                'data:application/magic-public-key,'. $magicsig->toString());
         }
 
         // TODO - finalize where the redirect should go on the publisher
diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php
index 82ee710559..2ee52dd347 100644
--- a/plugins/OStatus/classes/Magicsig.php
+++ b/plugins/OStatus/classes/Magicsig.php
@@ -169,10 +169,10 @@ class Magicsig extends Managed_DataObject
     /**
      * Encode the keypair or public key as a string.
      *
-     * @param boolean $full_pair set to false to leave out the private key.
+     * @param boolean $full_pair set to true to include the private key.
      * @return string
      */
-    public function toString($full_pair = true)
+    public function toString($full_pair=false)
     {
         $mod = Magicsig::base64_url_encode($this->publicKey->modulus->toBytes());
         $exp = Magicsig::base64_url_encode($this->publicKey->exponent->toBytes());