WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: WP-OpenID] v3.1.2: Warning: open_basedir restriction (14 posts)

  1. Erunafailaro
    Member
    Posted 5 years ago #

    Hello,

    I installed version 3.1.2 of this plugin and now receive the following warning on every page in the admin-section:

    <strong>Warning</strong>: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s): (/www/htdocs/:/tmp:/usr/bin:/bin:/usr/local/bin:/usr/share/php) in <strong>/www/htdocs//wp-content/plugins/openid/openid.php on line 26</strong>

    Please advice.

    http://wordpress.org/extend/plugins/openid/

  2. szpak
    Member
    Posted 5 years ago #

    I got the same behavior when I did an upgrade to wp-openid 3.1.2.

    The code at line 26 of openid.php is

    if (!is_readable('/dev/urandom')) define( 'Auth_OpenID_RAND_SOURCE', null );

    which just seems to be checking that /dev/urandom is readable, and if not it sets Auth_OpenID_RAND_SOURCE to null. The upgrade succeeds, but admin pages give that error message.

  3. jelly
    Member
    Posted 5 years ago #

    I got the same problem after update to 3.1.2

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    Change this:
    !is_readable('/dev/urandom')

    To this:
    !@is_readable('/dev/urandom')

    That should suppress the warning.

  5. Will Norris
    Member
    Posted 5 years ago #

    ahh, thanks Otto. fixed in 3.1.3 (just released)

  6. Erunafailaro
    Member
    Posted 5 years ago #

    Great job, wnorris! Thanks for supplying this hotfix :-)

  7. jessai
    Member
    Posted 5 years ago #

    supress a warning in php, is not resolve it.

    you have to put the absolute way and it's work without a warning.

  8. Will Norris
    Member
    Posted 5 years ago #

    @jessai: I'm not sure I follow... what are you suggesting?

  9. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    @jessai: No, that does indeed resolve it. The purpose of that line, if you look closely, is to attempt to use /dev/urandom as a source for random bits, if it's available. If it is not available, then it uses some other source. In this case, the attempt to check to see if it is available (it's not) also produces a worthless warning. Suppressing the warning is therefore the correct thing to do in this case.

  10. cyberczar
    Member
    Posted 5 years ago #

    This is what I got back from my Webhost today:

    The supported method for generating strong random numbers is mcrypt_create_iv().

    Is that worth looking into?

  11. Will Norris
    Member
    Posted 5 years ago #

    @cyberczar: not really. The idea is that the OpenID library would prefer to use a true random number generator provided by the OS. If that is not available (particularly in the case of Windows), the library automatically falls back to a pseudorandom number generator (mt_rand to be exact). This is effectively the same mechanism mt_crypt_iv() uses, so it wouldn't make a difference.

  12. jessai
    Member
    Posted 5 years ago #

    restriction of open_basedir is for security.

    You can write only in the repositary where you are or the way in poen_basedir for you :

    /www/htdocs/:/tmp:/usr/bin:/bin:/usr/local/bin:/usr/share/php

    you can specified an absolute way like var/www/vitual/htdocs/yourdomaine/whereyouwanttowrite/

  13. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    You can write only in the repositary where

    You may have noticed that this has nothing to do with "writing", since he's calling "is_readable()".

    open_basedir restrictions are paranoid levels security, since they don't affect what can be written, but what can be read. The operating system should be capable of handling that stuff without overly tight open_basedir restrictions.

  14. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    You can write only in the repositary where

    You may have noticed that this has nothing to do with "writing", since he's calling "is_readable()".

    An open_basedir restriction is a basically paranoid level of security, since it doesn't affect what can be written, but what can be opened. The operating system should be capable of handling that stuff without overly tight open_basedir restrictions.

Topic Closed

This topic has been closed to new replies.

About this Topic