Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SECURITY: fix IP leak to unverified email

Browse source 
CVE-2025-6593

Bug: T396230
Bug: T31856
Change-Id: Ibc13fafa0a00b3dc41b097bd7aa77c6a28767a57
This commit is contained in:
Michael Große 2025-06-06 17:16:28 +02:00 committed by Reedy
parent 4b59ce1f25
commit 8a9ef65437
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
includes/user/User.php
View file

@ -1950,9 +1950,9 @@ class User implements Stringable, Authority, UserIdentity, UserEmailContact {
$emailAuthentication = $config->get( MainConfigNames::EmailAuthentication );
if ( $emailAuthentication && $type === 'changed' ) {
if ( $emailAuthentication && $type === 'changed' && $this->isEmailConfirmed() ) {
// Send the user an email notifying the user of the change in registered
// email address on their previous email address
// email address on their previous verified email address
$change = $str != '' ? 'changed' : 'removed';
$notificationResult = $this->sendMail(
wfMessage( 'notificationemail_subject_' . $change )->text(),