0

I'm using PHPass to encrypt passwords stored in my database. When running this code:

if (is_readable('/dev/urandom') && ($fh = @fopen('/dev/urandom', 'rb'))) {
    ...
}

it produces this warning:

Warning: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s): 
(/home/d36234:/usr/local/lib/php:/var/apachefs/uploads:/tmp:/etc/file/magic) in /home/d36234/.../PasswordHash.php on line 51

What's wrong here, and how do I fix it?

Marcus
  • 6,697
  • 11
  • 46
  • 89

1 Answers1

1

It tells you what's going on: /dev/ is not one of the folders your are allowed to open files from, these are given in the error message. You would need to change the open_basedir value, if you can.

Otherwise, suppress the warning by replacing is_readable with @is_readable. PHPass will then use PHP functions to generate random values.

Alex
  • 405
  • 3
  • 12
  • This would require access to the php.ini. I assume you are on some sort of shared hosting? Than you won't be able to change that (for good reasons, otherwise you could just go and explore other people's directories). You might have to make do with PHP's random functions, see http://stackoverflow.com/a/10364236/4421490 – Alex Jan 08 '15 at 11:13
  • Oh, actually, if you have a look at the second answer in the post I just linked, it looks like PHPass can function without access to `/dev/urandom`, so this is really just a warning, not an error message. If you want to, you can suppress the warning by changing `is_readable` to `@is_readable`. – Alex Jan 08 '15 at 11:16
  • Yeah I've noticed that it still generats encrypted passwords, but since it cannot generate a good salt, they cannot be as good? Anyway - I think I solved it. I changed `is_readable('/dev/urandom')` to `is_readable('urandom')` which seem to create the file in the same directory which `PasswordHash.php` is located in, and thus no warning was generated. – Marcus Jan 08 '15 at 11:20
  • Well, not its the fopen that fails, but this has an @ in front, so it does not issue a warning... Checking on a file different from the one you are trying to open might disappear the warning, but it creates very confusing code. – Alex Jan 08 '15 at 11:23
  • Well.. there was no file in /dev/ in the first place. I dont even have a directory called dev in that location – Marcus Jan 08 '15 at 11:29
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/68406/discussion-between-alex-and-marcus). – Alex Jan 08 '15 at 11:30
  • With PHP7, I'm not sure the suppression is working properly. I'm still getting an error back with `@is_readable()`. – Howdy_McGee Dec 31 '20 at 16:03