Dec 22 2020
@sbasset Thank you for your guidance and for your help! : )
Dec 20 2020
That commit was merged upstream.
I added another pull request to cover more edge cases: https://github.com/CWRUChielLab/CASAuth/pull/11
For the sake of reference, the user name normalization appears to occur in the splitTitleString method, in includes/title/MediaWikiTitleCodec.php. There are additional special Unicode characters that are stripped out there.
Dec 19 2020
Should I make a CVE for this security issue?
Dec 17 2020
@sbassett The patch was merged!
Dec 15 2020
I created a pull request here: https://github.com/CWRUChielLab/CASAuth/pull/10
Dec 14 2020
@sbassett Is it okay for me to post the issue or merge request on GitHub a few days before the planned security announcement email goes out? I can shrink that gap if needed. Thanks.
Dec 13 2020
Okay, I worked on improving my patch, and so I'll put it here for now.
Dec 6 2020
Is there a rough timeline of when the security announcement will go out? I'd like to get the patch ready before then. Thanks : )
Dec 2 2020
I emailed site owners about the issue on 2020-11-23, by using mostly technical support contact addresses on their parent sites, but haven't heard back from any of them so far.
Sep 22 2020
Thanks for the tip. : ) I think that the regex for /__/ covers it, since three or more underscores in a row should still be matched by two of them. The same goes for the spaces. I don't know if this is the best way to handle this, but it seems like an okay stop-gap measure.