PHPass error: function name must be a string

Question

I get this error with PHPass:

Warning: is_readable(): open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s): (/customers/example.com/example.com/httpd.www:/customers/example.com/example.com/httpd.private:/customers/example.com/example.com/tmp:/customers/example.com/example.com:/var/www/diagnostics:/usr/share/php) in /customers/example.com/example.com/httpd.www/example/scripts/PasswordHash.php on line 51 Fatal error: Function name must be a string in /customers/example.com/example.com/httpd.www/example/register.php on line 82

Lines 51-54 on PasswordHash.php (PHPass):

    if (is_readable('/dev/urandom') &&
        ($fh = @fopen('/dev/urandom', 'rb'))) {
        $output = fread($fh, $count);
        fclose($fh);

Lines 81-84 of register.php (also including: the first two lines are the require and the $hasher):

require('scripts/PasswordHash.php');
$hasher = new PasswordHash(8, false);
$hash = $hasher->HashPassword($pw);
if($strlen($hash) < 20){
    $notice[] = "Error";
}

So, what does this error mean?

Answer 1

The open_basedir restriction is a security measure in PHP, basically limiting access to the file system to specific directories. This is useful in a shared environment where everyone should have access to their own files only. The default setting is to allow all files to be opened.

In this case, phpass is trying to access /dev/urandom, which is not included in your allowed directories, causing the error. The fix is to change the settings in for open_basedir in your php.ini to allow /dev/urandom (or allow everything).

Version 1.8 of phpass resolves this issue by suppressing the error:

Changes since revision 1.7: +2 -2 lines:

Prefixed is_readable() with "@" to suppress warning when open_basedir restriction is in effect.