For non-existent users ("This username was never registered"), it will instead show all anonymous Flow creations, risking that someone will accidentally delete constructive posts by anonymous users.
|mediawiki/extensions/Flow : REL1_28||SECURITY: Don't treat non-existent user as "any anon"|
|mediawiki/extensions/Flow : REL1_27||SECURITY: Don't treat non-existent user as "any anon"|
|mediawiki/extensions/Flow : master||SECURITY: Don't treat non-existent user as "any anon"|
Now that the patch is deployed in production, should it be merged into master as well? It's not clear to me what the policy is for security fixes in extensions that are not part of the release bundle.
This is now merged to master and I've put up release branch backports:
Unfortunately, I ran into https://github.com/composer/composer/pull/5660, so the release branch commits are V-1. Nevertheless, it's public now, so I had to announce it to let people know to update. So I've sent it out to email@example.com and firstname.lastname@example.org, but we now need to get those merged.
Once the last two are merged, we should able to merge the security patch backports cleanly.
Checked in enwiki betalabs - when non-existing username is entered on Special:Nuke, the warning is displayed: "No new pages by [non-existing username] in recent changes." And no list of new pages is displayed.
QA Recommendation: Resolve