@sbasset Thank you for your guidance and for your help! : )

That commit was merged upstream.

I added another pull request to cover more edge cases: https://github.com/CWRUChielLab/CASAuth/pull/11

For the sake of reference, the user name normalization appears to occur in the splitTitleString method, in includes/title/MediaWikiTitleCodec.php. There are additional special Unicode characters that are stripped out there.

Should I make a CVE for this security issue?

@sbassett The patch was merged!

I created a pull request here: https://github.com/CWRUChielLab/CASAuth/pull/10

@sbassett Is it okay for me to post the issue or merge request on GitHub a few days before the planned security announcement email goes out? I can shrink that gap if needed. Thanks.

Okay, I worked on improving my patch, and so I'll put it here for now.

Is there a rough timeline of when the security announcement will go out? I'd like to get the patch ready before then. Thanks : )

I emailed site owners about the issue on 2020-11-23, by using mostly technical support contact addresses on their parent sites, but haven't heard back from any of them so far.

Thanks for the tip. : ) I think that the regex for /__/ covers it, since three or more underscores in a row should still be matched by two of them. The same goes for the spaces. I don't know if this is the best way to handle this, but it seems like an okay stop-gap measure.