From 8a9ef65437e6da720c1c7a887d1b97dce4108eeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= <mgrosse@wikimedia.org>
Date: Fri, 6 Jun 2025 17:16:28 +0200
Subject: [PATCH] SECURITY: fix IP leak to unverified email

CVE-2025-6593

Bug: T396230
Bug: T31856
Change-Id: Ibc13fafa0a00b3dc41b097bd7aa77c6a28767a57
---
 includes/user/User.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/user/User.php b/includes/user/User.php
index df1be16d658..0865c163aeb 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -1950,9 +1950,9 @@ class User implements Stringable, Authority, UserIdentity, UserEmailContact {
 
 		$emailAuthentication = $config->get( MainConfigNames::EmailAuthentication );
 
-		if ( $emailAuthentication && $type === 'changed' ) {
+		if ( $emailAuthentication && $type === 'changed' && $this->isEmailConfirmed() ) {
 			// Send the user an email notifying the user of the change in registered
-			// email address on their previous email address
+			// email address on their previous verified email address
 			$change = $str != '' ? 'changed' : 'removed';
 			$notificationResult = $this->sendMail(
 				wfMessage( 'notificationemail_subject_' . $change )->text(),