"It's the fault of anyone who used the library for paying no attention to the code (or apparently ever testing the code with even slightly creative input)."
I don't think that's fair. Do you think it's reasonable to expect people to audit every single module (even widely-used ones) they use? (I'm not talking about a software utopia where we have unlimited time and manpower; I'm talking about the real world where people have tight deadlines and code reuse is a lifesaver.)
In isolation, sure things get overlooked. But such a core library for so long? (Well, kind of core; PEAR has a forked version which I presume was fixed earlier -- but why didn't that fix get pushed back to PHPXMLRPC?) I accept that one person might use it unwittingly, but the projects Stephen lists are large projects and they really should be paying more attention. Also, if this were the first bug like this, then it would be understandable. But the PHP community should have already learned its lesson on things like this.
I guess I'm spreading fault liberally. It's not like anyone is getting punished for this; assigning blame is purely for kicks. I don't think the original developer deserves all the blame; they did the work and tried. It was sloppy work, but supposedly one of the benefits of releasing your code is that other people will look at it. It took too long for that to happen in this case.# Ian Bicking