Auth_OpenID_RAND_SOURCE Error

kbjr / ExtID

OpenID and OAuth together in one easy-to-use external ID library

Other

6 stars 0 forks source link

Auth_OpenID_RAND_SOURCE Error #5

Closed kirs closed 13 years ago

kirs commented 13 years ago

Before redirecting to EXTID_AUTH_AX OpenID resourse:

A PHP Error was encountered
Severity: User Error
Message: Define Auth_OpenID_RAND_SOURCE as null to continue with an insecure random number generator.
Filename: OpenID/CryptUtil.php
Line Number: 52

After redirect all works fine.

kbjr commented 13 years ago

This one I have seen before. What type of OS are you on? The problem is that it's trying to access /dev/urandom and it can't open it.

kirs commented 13 years ago

Ubuntu 10.04 server. You can try it here if Google or Yahoo.

kirs commented 13 years ago

In my opinion, it is only an OpenID library bug.

kbjr commented 13 years ago

open up the CryptUtil.php file and tell me what it's defining that constant as. The only way that this error can occur is if 1) that const is set to NULL or 2) if there is an error opening /dev/urandom.

kirs commented 13 years ago

if (!defined('Auth_OpenID_RAND_SOURCE')) { /* * The filename for a source of random bytes. Define this yourself * if you have a different source of randomness. / define('Auth_OpenID_RAND_SOURCE', '/dev/urandom'); }

kbjr commented 13 years ago

alright, try adding a var_dump(Auth_OpenID_RAND_SOURCE) in an else clause and tell me if it outputs anything.

kirs commented 13 years ago

You are right, it was undefined.

A PHP Error was encountered
Severity: Notice
Message: Use of undefined constant Auth_OpenID_RAND_SOURCE - assumed 'Auth_OpenID_RAND_SOURCE'
Filename: OpenID/CryptUtil.php
Line Number: 17

and after

string(23) "Auth_OpenID_RAND_SOURCE"

Maybe, we should add define('Auth_OpenID_RAND_SOURCE', NULL); in the start of libraries/extid/ExtId.php ?

kbjr commented 13 years ago

That would work as a patch, but falling back to NULL isn't considered "secure" (not that anyone is honestly going to hack it anyway(well, hopefully...)). It's up to you, it's your website. If you set it to NULL, it will fall back on using PHP's mt_rand function.

kirs commented 13 years ago

What would you do in this case? What you would recommend?

kbjr commented 13 years ago

Well, I'm stubborn, I'd probably keep trying to figure out what's wrong, but that's me. I can't see that using NULL would cause any problems.

kirs commented 13 years ago

I've found the source of error!

Firstly, I have ran the simple /dev/urandom check like in CryptUtil.php: $f = @fopen("/dev/urandom", "r"); var_dump($f); It printed bool(false).

Then, ran just $f = fopen("/dev/urandom", "r");

Warning: fopen(): open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s): (/home/user:.:/tmp) in /home/user/www/dostavka-peska.ru/test.php on line 2 Warning: fopen(/dev/urandom): failed to open stream: Operation not permitted in /home/user/www/dostavka-peska.ru/test.php on line 2

On my server, open_basedir restricted all paths except user's homedir. So, PHP had no permissions to /dev/urandom and that error with Auth_OpenID_RAND_SOURCE occured.

After fixing that, ExtID works fine!

kbjr commented 13 years ago

I believe that open_basedir is also activated as part of safe mode. I will add a note about these in the documentation.