Bug affecting XMLRPC

Bug affecting XMLRPC

There is some dispute as to who owns the bug. Some feel the developers behind PHP should address it while others feel that the libxml developers should resolve it. I'm not really interested in getting into that argument.

The low-down on the bug is that libxml 2.7.X has been rolled out into major linux distros like Cent-OS 5, Fedora 9 & Red Hat. (The only 2 current distros that I was able to find that have not gone past libxml 2.6.32 are Debian Etch and Ubuntu.) Although I did not research it, earlier versions of the distros like Cent-OS 4 & Fedora 8 probably have not rolled in libxml 2.7.X. When the current stable version of PHP 5 is compiled with libxml 2.7.X, the < and > signs get stripped out of html posted via XMLRPC. For example

&lt;p&gt;Hello world!&lt;/p&gt;

normally would get translated to

<p>Hello world!</p>

with the bug it gets translated to

pHello world!/p

If you are on a shared host, there probably is not a great deal you are going to be able to do about this other than weather the storm, so to speak. Most likely at some point you will encounter this bug if your shared host is on one of the OS's mentioned above. At the same time, the shared host ISPs will be under some pressure to find a solution because the bug affects all version of both WP & WPMU that support posting to a blog via XMLRPC.

If you are on a VPS, you can check your current libxml version by creating a php file on your website containing

<?php phpinfo(); ?>

and then load the php file in your web browser. Once loaded you can scroll down to a block that is titled libxml. Your libxml version is listed there. Versions up to 2.6.32 have tested ok for the html parsing. If your version is less than that then the best course of action over the next couple months is to NOT rebuild PHP.

There is a patch available. I haven't tried the patch and cannot vouch for it. On a manged VPS you may encounter difficulty in applying the patch (depending on the degree of control the VPS maintains on sources).

I researched this bug as a result of one of our clients having PHP recompiled on their Cent-OS 5 VPS in the last few weeks. If you are looking to set up a VPS in the next couple months, I would recommend that you steer clear of Cent-OS 5 VPS's.

Updated to add: Joseph Scott was one of the WP devs who worked on tracking down and testing libxml versions for the issue. He has lots of additional links on the bug here.

  • Barry
    Posted at 00:37h, 11 January Reply

    If you are WPMU, then grab this code and put it in your mu-plugins directory, so that you’ll always have a phpinfo() page available from your Site admin menu.


  • Greg
    Posted at 12:08h, 04 February Reply

    Thanks for detailing this. It’s just bitten me in the ass too! Fedora 10 workstation doing exactly this.

  • Scott
    Posted at 15:50h, 08 October Reply

    Hi Ron,
    Do you have any reports of a bug to MU after upgrading to 3.0? Our xmlrpc remote publishing was working fine prior to upgrade.

    Seems as if others had the issue: http://core.trac.wordpress.org/ticket/14037

    • Ron
      Posted at 19:14h, 08 October Reply

      That seems like it is occurring when the author has multiple blogs.

  • Scott
    Posted at 19:54h, 08 October Reply

    Just tried on an account with an account that has one blog (subscriber on the main) still does not work. Very odd tried on a setup that started as 3.0 and it works…

Post A Comment