Issues in bitcoin.class.php (development) - Issues in development - MPOS/php-mpos - Measure and Improve Code Quality continuously with Scrutinizer

Issues (431)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

include/classes/bitcoin.class.php (4 issues)

Labels

Severity

Sebastian Grewe 4

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;

/**
 * Bitcoin classes
 *
 * By Mike Gogulski - All rights reversed http://www.unlicense.org/ (public domain)
 *
 * If you find this library useful, your donation of Bitcoins to address
 * 1E3d6EWLgwisXY2CWXDcdQQP2ivRN7e9r9 would be greatly appreciated. Thanks!
 *
 * PHPDoc is available at http://code.gogulski.com/
 *
 * @author Mike Gogulski - http://www.nostate.com/ http://www.gogulski.com/
 * @author theymos - theymos @ http://bitcoin.org/smf
 */

define("BITCOIN_ADDRESS_VERSION", "00");// this is a hex byte
/**
 * Bitcoin utility functions class
 *
 * @author theymos (functionality)
 * @author Mike Gogulski
 * 	http://www.gogulski.com/ http://www.nostate.com/
 *  (encapsulation, string abstraction, PHPDoc)
 */
class Bitcoin {

  /*
   * Bitcoin utility functions by theymos
   * Via http://www.bitcoin.org/smf/index.php?topic=1844.0
   * hex input must be in uppercase, with no leading 0x
   */
  private static $hexchars = "0123456789ABCDEF";
  private static $base58chars = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";

  /**
   * Convert a hex string into a (big) integer
   *
   * @param string $hex
   * @return int
   * @access private
   */
  private function decodeHex($hex) {
    $hex = strtoupper($hex);
    $return = "0";
    for ($i = 0; $i < strlen($hex); $i++) {
      $current = (string) strpos(self::$hexchars, $hex[$i]);
      $return = (string) bcmul($return, "16", 0);
      $return = (string) bcadd($return, $current, 0);
    }
    return $return;
  }

  /**
   * Convert an integer into a hex string
   *
   * @param int $dec
   * @return string
   * @access private
   */
  private function encodeHex($dec) {
    $return = "";
    while (bccomp($dec, 0) == 1) {

      $dv = (string) bcdiv($dec, "16", 0);
      $rem = (integer) bcmod($dec, "16");
      $dec = $dv;
      $return = $return . self::$hexchars[$rem];
    }
    return strrev($return);
  }

  /**
   * Convert a Base58-encoded integer into the equivalent hex string representation
   *
   * @param string $base58
   * @return string
   * @access private
   */
  private function decodeBase58($base58) {
    $origbase58 = $base58;

    $return = "0";
    for ($i = 0; $i < strlen($base58); $i++) {
      $current = (string) strpos(Bitcoin::$base58chars, $base58[$i]);
      $return = (string) bcmul($return, "58", 0);
      $return = (string) bcadd($return, $current, 0);
    }

    $return = self::encodeHex($return);

    //leading zeros
    for ($i = 0; $i < strlen($origbase58) && $origbase58[$i] == "1"; $i++) {
      $return = "00" . $return;
    }

    if (strlen($return) % 2 != 0) {
      $return = "0" . $return;
    }

    return $return;
  }

  /**
   * Convert a hex string representation of an integer into the equivalent Base58 representation
   *
   * @param string $hex
   * @return string
   * @access private
   */
  private function encodeBase58($hex) {
    if (strlen($hex) % 2 != 0) {
      die("encodeBase58: uneven number of hex characters");
    }
    $orighex = $hex;

    $hex = self::decodeHex($hex);
    $return = "";
    while (bccomp($hex, 0) == 1) {

      $dv = (string) bcdiv($hex, "58", 0);
      $rem = (integer) bcmod($hex, "58");
      $hex = $dv;
      $return = $return . self::$base58chars[$rem];
    }
    $return = strrev($return);

    //leading zeros
    for ($i = 0; $i < strlen($orighex) && substr($orighex, $i, 2) == "00"; $i += 2) {
      $return = "1" . $return;
    }

    return $return;
  }

  /**
   * Convert a 160-bit Bitcoin hash to a Bitcoin address
   *
   * @author theymos
   * @param string $hash160
   * @param string $addressversion
   * @return string Bitcoin address
   * @access public
   */
  public static function hash160ToAddress($hash160, $addressversion = BITCOIN_ADDRESS_VERSION) {
    $hash160 = $addressversion . $hash160;
    $check = pack("H*", $hash160);
    $check = hash("sha256", hash("sha256", $check, true));
    $check = substr($check, 0, 8);
    $hash160 = strtoupper($hash160 . $check);
    return self::encodeBase58($hash160);
  }

  /**
   * Convert a Bitcoin address to a 160-bit Bitcoin hash
   *
   * @author theymos
   * @param string $addr
   * @return string Bitcoin hash
   * @access public
   */
  public static function addressToHash160($addr) {
    $addr = self::decodeBase58($addr);
    $addr = substr($addr, 2, strlen($addr) - 10);
    return $addr;
  }

  /**
   * Determine if a string is a valid Bitcoin address
   *
   * @author theymos
   * @param string $addr String to test
   * @param string $addressversion
   * @return boolean
   * @access public
   */
  public static function checkAddress($addr, $addressversion = BITCOIN_ADDRESS_VERSION) {
    $addr = self::decodeBase58($addr);
    if (strlen($addr) != 50) {
      return false;
    }
    $version = substr($addr, 0, 2);
    if (hexdec($version) > hexdec($addressversion)) {
      return false;
    }
    $check = substr($addr, 0, strlen($addr) - 8);
    $check = pack("H*", $check);
    $check = strtoupper(hash("sha256", hash("sha256", $check, true)));
    $check = substr($check, 0, 8);
    return $check == substr($addr, strlen($addr) - 8);
  }

  /**
   * Convert the input to its 160-bit Bitcoin hash
   *
   * @param string $data
   * @return string
   * @access private
   */
  private function hash160($data) {
    $data = pack("H*", $data);
    return strtoupper(hash("ripemd160", hash("sha256", $data, true)));
  }

  /**
   * Convert a Bitcoin public key to a 160-bit Bitcoin hash
   *
   * @param string $pubkey
   * @return string
   * @access public
   */
  public static function pubKeyToAddress($pubkey) {
    return self::hash160ToAddress(self::hash160($pubkey));
  }

  /**
   * Remove leading "0x" from a hex value if present.
   *
   * @param string $string
   * @return string
   * @access public
   */
  public static function remove0x($string) {
    if (substr($string, 0, 2) == "0x" || substr($string, 0, 2) == "0X") {
      $string = substr($string, 2);
    }
    return $string;
  }
}

require_once(INCLUDE_DIR . "/lib/jsonRPCClient.php");

/**
 * Bitcoin client class for access to a Bitcoin server via JSON-RPC-HTTP[S]
 *
 * Implements the methods documented at https://www.bitcoin.org/wiki/doku.php?id=api
 *
 * @version 0.3.19
 * @author Mike Gogulski
 * 	http://www.gogulski.com/ http://www.nostate.com/
 */
class BitcoinClient extends jsonRPCClient {

  /**
   * Create a jsonrpc_client object to talk to the bitcoin server and return it,
   * or false on failure.
   *
   * @param string $scheme
   * 	"http" or "https"
   * @param string $username
   * 	User name to use in connection the Bitcoin server's JSON-RPC interface
   * @param string $password
   * 	Server password
   * @param string $address
   * 	Server hostname or IP address
   * @param mixed $port
   * 	Server port (string or integer)
   * @param string $certificate_path
   * 	Path on the local filesystem to server's PEM certificate (ignored if $scheme != "https")
   * @param integer $debug_level
   * 	0 (default) = no debugging;
   * 	1 = echo JSON-RPC messages received to stdout;
   * 	2 = log transmitted messages also
   * @return jsonrpc_client
   * @access public
   * @throws BitcoinClientException
   */
  public function __construct($scheme, $username, $password, $address = "localhost", $certificate_path = '', $debug = false) {
    $scheme = strtolower($scheme);
    if ($scheme != "http" && $scheme != "https")
      throw new Exception("Scheme must be http or https");
    if (empty($username))
      throw new Exception("Username must be non-blank");
    if (empty($password))
      throw new Exception("Password must be non-blank");
    if (!empty($certificate_path) && !is_readable($certificate_path))
      throw new Exception("Certificate file " . $certificate_path . " is not readable");
    $uri = $scheme . "://" . $username . ":" . $password . "@" . $address . "/";
    parent::__construct($uri, $debug);
  }

  /**
   * Test if the connection to the Bitcoin JSON-RPC server is working
   *
   * The check is done by calling the server's getinfo() method and checking
   * for a fault.
   *
   * To turn code compatible with BTC >= 0.16, getmininginfo() method used instead of getinfo()
   *
   * @return mixed boolean TRUE if successful, or a fault string otherwise
   * @access public
   * @throws none
   */
  public function can_connect() {
    try {
      $r = $this->getmininginfo();
$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}
    } catch (Exception $e) {
      return $e->getMessage();
    }
    return true;
  }

  public function validateaddress($coin_address) {
    try {
      $aStatus = parent::validateaddress($coin_address);
      if (!$aStatus['isvalid']) {
        return false;
      }
    } catch (Exception $e) {
      return false;
    }
    return true;
  }

  public function is_testnet() {
    try {
      $r = parent::getinfo();
class Daddy
{
    protected function getFirstName()
    {
        return "Eidur";
    }

    protected function getSurName()
    {
        return "Gudjohnsen";
    }
}

class Son
{
    public function getFirstName()
    {
        return parent::getSurname();
    }
}
      if ($r['testnet']) {
        return true;
      }
    } catch (Exception $e) {
      return false;
    }
    return false;
  }
}


1		<?php
2		$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
3
4		/**
5		* Bitcoin classes
6		*
7		* By Mike Gogulski - All rights reversed http://www.unlicense.org/ (public domain)
8		*
9		* If you find this library useful, your donation of Bitcoins to address
10		* 1E3d6EWLgwisXY2CWXDcdQQP2ivRN7e9r9 would be greatly appreciated. Thanks!
11		*
12		* PHPDoc is available at http://code.gogulski.com/
13		*
14		* @author Mike Gogulski - http://www.nostate.com/ http://www.gogulski.com/
15		* @author theymos - theymos @ http://bitcoin.org/smf
16		*/
17
18		define("BITCOIN_ADDRESS_VERSION", "00");// this is a hex byte
19		/**
20		* Bitcoin utility functions class
21		*
22		* @author theymos (functionality)
23		* @author Mike Gogulski
24		* http://www.gogulski.com/ http://www.nostate.com/
25		* (encapsulation, string abstraction, PHPDoc)
26		*/
27		class Bitcoin {
28
29		/*
30		* Bitcoin utility functions by theymos
31		* Via http://www.bitcoin.org/smf/index.php?topic=1844.0
32		* hex input must be in uppercase, with no leading 0x
33		*/
34		private static $hexchars = "0123456789ABCDEF";
35		private static $base58chars = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
36
37		/**
38		* Convert a hex string into a (big) integer
39		*
40		* @param string $hex
41		* @return int
42		* @access private
43		*/
44		private function decodeHex($hex) {
45		$hex = strtoupper($hex);
46		$return = "0";
47	View Code Duplication	for ($i = 0; $i < strlen($hex); $i++) {
48		$current = (string) strpos(self::$hexchars, $hex[$i]);
49		$return = (string) bcmul($return, "16", 0);
50		$return = (string) bcadd($return, $current, 0);
51		}
52		return $return;
53		}
54
55		/**
56		* Convert an integer into a hex string
57		*
58		* @param int $dec
59		* @return string
60		* @access private
61		*/
62		private function encodeHex($dec) {
63		$return = "";
64	View Code Duplication	while (bccomp($dec, 0) == 1) {
		0 ignored issues – show Duplication introduced 2015-12-09 12:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
65		$dv = (string) bcdiv($dec, "16", 0);
66		$rem = (integer) bcmod($dec, "16");
67		$dec = $dv;
68		$return = $return . self::$hexchars[$rem];
69		}
70		return strrev($return);
71		}
72
73		/**
74		* Convert a Base58-encoded integer into the equivalent hex string representation
75		*
76		* @param string $base58
77		* @return string
78		* @access private
79		*/
80		private function decodeBase58($base58) {
81		$origbase58 = $base58;
82
83		$return = "0";
84	View Code Duplication	for ($i = 0; $i < strlen($base58); $i++) {
85		$current = (string) strpos(Bitcoin::$base58chars, $base58[$i]);
86		$return = (string) bcmul($return, "58", 0);
87		$return = (string) bcadd($return, $current, 0);
88		}
89
90		$return = self::encodeHex($return);
91
92		//leading zeros
93	View Code Duplication	for ($i = 0; $i < strlen($origbase58) && $origbase58[$i] == "1"; $i++) {
94		$return = "00" . $return;
95		}
96
97		if (strlen($return) % 2 != 0) {
98		$return = "0" . $return;
99		}
100
101		return $return;
102		}
103
104		/**
105		* Convert a hex string representation of an integer into the equivalent Base58 representation
106		*
107		* @param string $hex
108		* @return string
109		* @access private
110		*/
111		private function encodeBase58($hex) {
112		if (strlen($hex) % 2 != 0) {
113		die("encodeBase58: uneven number of hex characters");
114		}
115		$orighex = $hex;
116
117		$hex = self::decodeHex($hex);
118		$return = "";
119	View Code Duplication	while (bccomp($hex, 0) == 1) {
		0 ignored issues – show Duplication introduced 2015-12-09 12:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
120		$dv = (string) bcdiv($hex, "58", 0);
121		$rem = (integer) bcmod($hex, "58");
122		$hex = $dv;
123		$return = $return . self::$base58chars[$rem];
124		}
125		$return = strrev($return);
126
127		//leading zeros
128	View Code Duplication	for ($i = 0; $i < strlen($orighex) && substr($orighex, $i, 2) == "00"; $i += 2) {
129		$return = "1" . $return;
130		}
131
132		return $return;
133		}
134
135		/**
136		* Convert a 160-bit Bitcoin hash to a Bitcoin address
137		*
138		* @author theymos
139		* @param string $hash160
140		* @param string $addressversion
141		* @return string Bitcoin address
142		* @access public
143		*/
144		public static function hash160ToAddress($hash160, $addressversion = BITCOIN_ADDRESS_VERSION) {
145		$hash160 = $addressversion . $hash160;
146		$check = pack("H*", $hash160);
147		$check = hash("sha256", hash("sha256", $check, true));
148		$check = substr($check, 0, 8);
149		$hash160 = strtoupper($hash160 . $check);
150		return self::encodeBase58($hash160);
151		}
152
153		/**
154		* Convert a Bitcoin address to a 160-bit Bitcoin hash
155		*
156		* @author theymos
157		* @param string $addr
158		* @return string Bitcoin hash
159		* @access public
160		*/
161		public static function addressToHash160($addr) {
162		$addr = self::decodeBase58($addr);
163		$addr = substr($addr, 2, strlen($addr) - 10);
164		return $addr;
165		}
166
167		/**
168		* Determine if a string is a valid Bitcoin address
169		*
170		* @author theymos
171		* @param string $addr String to test
172		* @param string $addressversion
173		* @return boolean
174		* @access public
175		*/
176		public static function checkAddress($addr, $addressversion = BITCOIN_ADDRESS_VERSION) {
177		$addr = self::decodeBase58($addr);
178		if (strlen($addr) != 50) {
179		return false;
180		}
181		$version = substr($addr, 0, 2);
182		if (hexdec($version) > hexdec($addressversion)) {
183		return false;
184		}
185		$check = substr($addr, 0, strlen($addr) - 8);
186		$check = pack("H*", $check);
187		$check = strtoupper(hash("sha256", hash("sha256", $check, true)));
188		$check = substr($check, 0, 8);
189		return $check == substr($addr, strlen($addr) - 8);
190		}
191
192		/**
193		* Convert the input to its 160-bit Bitcoin hash
194		*
195		* @param string $data
196		* @return string
197		* @access private
198		*/
199		private function hash160($data) {
200		$data = pack("H*", $data);
201		return strtoupper(hash("ripemd160", hash("sha256", $data, true)));
202		}
203
204		/**
205		* Convert a Bitcoin public key to a 160-bit Bitcoin hash
206		*
207		* @param string $pubkey
208		* @return string
209		* @access public
210		*/
211		public static function pubKeyToAddress($pubkey) {
212		return self::hash160ToAddress(self::hash160($pubkey));
213		}
214
215		/**
216		* Remove leading "0x" from a hex value if present.
217		*
218		* @param string $string
219		* @return string
220		* @access public
221		*/
222		public static function remove0x($string) {
223		if (substr($string, 0, 2) == "0x" \|\| substr($string, 0, 2) == "0X") {
224		$string = substr($string, 2);
225		}
226		return $string;
227		}
228		}
229
230		require_once(INCLUDE_DIR . "/lib/jsonRPCClient.php");
231
232		/**
233		* Bitcoin client class for access to a Bitcoin server via JSON-RPC-HTTP[S]
234		*
235		* Implements the methods documented at https://www.bitcoin.org/wiki/doku.php?id=api
236		*
237		* @version 0.3.19
238		* @author Mike Gogulski
239		* http://www.gogulski.com/ http://www.nostate.com/
240		*/
241		class BitcoinClient extends jsonRPCClient {
242
243		/**
244		* Create a jsonrpc_client object to talk to the bitcoin server and return it,
245		* or false on failure.
246		*
247		* @param string $scheme
248		* "http" or "https"
249		* @param string $username
250		* User name to use in connection the Bitcoin server's JSON-RPC interface
251		* @param string $password
252		* Server password
253		* @param string $address
254		* Server hostname or IP address
255		* @param mixed $port
256		* Server port (string or integer)
257		* @param string $certificate_path
258		* Path on the local filesystem to server's PEM certificate (ignored if $scheme != "https")
259		* @param integer $debug_level
260		* 0 (default) = no debugging;
261		* 1 = echo JSON-RPC messages received to stdout;
262		* 2 = log transmitted messages also
263		* @return jsonrpc_client
264		* @access public
265		* @throws BitcoinClientException
266		*/
267		public function __construct($scheme, $username, $password, $address = "localhost", $certificate_path = '', $debug = false) {
268		$scheme = strtolower($scheme);
269		if ($scheme != "http" && $scheme != "https")
270		throw new Exception("Scheme must be http or https");
271		if (empty($username))
272		throw new Exception("Username must be non-blank");
273		if (empty($password))
274		throw new Exception("Password must be non-blank");
275		if (!empty($certificate_path) && !is_readable($certificate_path))
276		throw new Exception("Certificate file " . $certificate_path . " is not readable");
277		$uri = $scheme . "://" . $username . ":" . $password . "@" . $address . "/";
278		parent::__construct($uri, $debug);
279		}
280
281		/**
282		* Test if the connection to the Bitcoin JSON-RPC server is working
283		*
284		* The check is done by calling the server's getinfo() method and checking
285		* for a fault.
286		*
287		* To turn code compatible with BTC >= 0.16, getmininginfo() method used instead of getinfo()
288		*
289		* @return mixed boolean TRUE if successful, or a fault string otherwise
290		* @access public
291		* @throws none
292		*/
293		public function can_connect() {
294		try {
295		$r = $this->getmininginfo();
		0 ignored issues – show Unused Code introduced 2015-12-09 12:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$r` is not used, you could remove the assignment. This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently. $myVar = 'Value'; $higher = false; if (rand(1, 6) > 3) { $higher = true; } else { $higher = false; } Both the `$myVar` assignment in line 1 and the `$higher` assignment in line 2 are dead. The first because `$myVar` is never used and the second because `$higher` is always overwritten for every possible time line. Loading history...
296		} catch (Exception $e) {
297		return $e->getMessage();
298		}
299		return true;
300		}
301
302		public function validateaddress($coin_address) {
303		try {
304		$aStatus = parent::validateaddress($coin_address);
305		if (!$aStatus['isvalid']) {
306		return false;
307		}
308		} catch (Exception $e) {
309		return false;
310		}
311		return true;
312		}
313
314		public function is_testnet() {
315		try {
316		$r = parent::getinfo();
		0 ignored issues – show Comprehensibility Bug introduced 2015-12-09 12:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you call parent on a different method (`getinfo()` instead of `is_testnet()`). Are you sure this is correct? If so, you might want to change this to `$this->getinfo()`. This check looks for a call to a parent method whose name is different than the method from which it is called. Consider the following code: class Daddy { protected function getFirstName() { return "Eidur"; } protected function getSurName() { return "Gudjohnsen"; } } class Son { public function getFirstName() { return parent::getSurname(); } } The `getFirstName()` method in the `Son` calls the wrong method in the parent class. Loading history...
317		if ($r['testnet']) {
318		return true;
319		}
320		} catch (Exception $e) {
321		return false;
322		}
323		return false;
324		}
325		}
326

MPOS / php-mpos

Issues (431)

Security Analysis not enabled

include/classes/bitcoin.class.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like