XML-RPC API doesn't allow password containing single quote

[reprotector]

I'm having an weird error on method getOptions from XML-RPC API.

My password has a single quote ('), ex: abc'cba

Method getPosts works well, returning my blog posts.
curl --header "Accept: text/xml;" --data "<?xml version="1.0"?><methodCall><methodName>wp.getPosts</methodName><params><param><value><string></string></value></param><param><value><string>MYUSERNAME</string></value></param><param><value><string>abc'cba</string></value></param></params></methodCall>" http://www.MYBLOGURL.com/xmlrpc.php

Method getOptions doesnt work at all, returning "Incorrect username or password."
curl --header "Accept: text/xml;" --data "<?xml version="1.0"?><methodCall><methodName>wp.getOptions</methodName><params><param><value><string></string></value></param><param><value><string>MYUSERNAME</string></value></param><param><value><string>abc'cba</string></value></param></params></methodCall>" http://www.MYBLOGURL.com/xmlrpc.php

If I remove the single quote from password, both methods works well.

[johnbillion]

Thanks for the report reprotector.

This needs testing and verifying. This could well have existed since forever.

Previously: #24367, #26573.

[markoheijnen]

I will check it out in the next day to see what goes on there.

[redsweater]

For what it's worth I tested against latest WordPress trunk, changed a user's password to "abc'cba" to match the test scenario described, and I'm able to call wp.getOptions with the password without issue. I used the exact curl command line specified except I used my localhost based URL and the username ("joez" as it happens) for my test user.

Is it possible @reprotector that your test installation has any plugins installed that might be modifying the default behavior of WordPress?

[reprotector]

Hey, @redsweater, nice to see you here :)

It happens on WordPress.com and self-hosted (Dreamhost). I've disabled all plugins and the problem persists.

Replying to redsweater:

For what it's worth I tested against latest WordPress trunk, changed a user's password to "abc'cba" to match the test scenario described, and I'm able to call wp.getOptions with the password without issue. I used the exact curl command line specified except I used my localhost based URL and the username ("joez" as it happens) for my test user.

Is it possible @reprotector that your test installation has any plugins installed that might be modifying the default behavior of WordPress?

[redsweater]

Interesting @reprotector. Sounds like it will be a real puzzle to figure out! I wonder if somehow the username has something to do with it, too?

Looking at the API code in WordPress, it doesn't seem like the login process for wp.getOptions is much different than for other methods. It's hard to imagine how it would vary.

Is it possible you've only seen the bug happening on the command line with "curl"? Maybe your shell is handling the quoted string differently than mine? I noticed one thing that seemed a little odd was the use of " quotes inside " quotes, without escaping them.

[dd32]

This is working for me on a self-hosted site. Neither of the examples below (using either wp.getOptions or wp.getPosts) work on WordPress.com though, which I assume is a WordPress.com-specific authentication bug.

Two tests with the password abc"123'456:

curl --header "Accept: text/xml;" --data "<?xml version="1.0"?><methodCall><methodName>wp.getOptions</methodName><params><param><value><string></string></value></param><param><value><string>admin</string></value></param><param><value><string>abc\"123'456</string></value></param></params></methodCall>" http://localhost/wordpress-develop/src/xmlrpc.php

<?php
include ABSPATH . WPINC . '/class-IXR.php';
$rpc = new IXR_Client( "http://localhost/wordpress-develop/src/xmlrpc.php" );
$rpc->query('wp.getOptions', 0, 'admin', 'abc"123\'456' );
var_dump( $rpc );

[wonderboymusic]

Thanks for the ticket - .com has their own bug tracking. You may want to ping support upstream.