User::isValidUserName prevents the local creation of usernames that are prefixed with namespace keys, i.e. User:Wikipedia:Bob is forbidden when Wikipedia: is a local namespace.
However, the vandal mentioned in bug 17877 demonstrated that CentralAuth (and AuthPlugins in general) can allow one to bypass this.
For example, create an account such as User:WP:ANI in a wiki that does not have a WP: namespace and then use single user login to create the same account on enwiki, where it would normally be forbidden.
I'm filing this separately from 17877 because strictly speaking one could address that issue without addressing this one (or vice versa), but I believe that if the AuthPlugin functionality is fixed to prevent the creation of accounts whose names are locally forbidden due to naming conflicts then that would eliminate the most likely and accessible path that leads to the bug described in 17877. (Other paths to a 17877 scenario include the post-facto creation of a conflicting namespace, or the use of RenameUser to intentionally move an account to a conflicting name.)
Also, I think the best approach is to patch Mediawiki to prevent AuthPlugins from creating new accounts for locally forbidden names, but I suppose one might also consider patching just CentralAuth to accomplish the same thing for just Wikimedia.
Version: unspecified
Severity: normal