It doesn't look like SpecialOpenIDLogin.body.php is doing the same checks that MediaWiki core is doing on account creation. I'm not sure if vandals could abuse this, but it would be good to check.
Specific checks that need to happen (apologies if I've missed these somewhere else):
- Username needs to valid against the 'creatable' checks, so some thing like
$u = User::newFromName( $name, 'creatable' );
if ( !is_object( $u ) ) {
return null;
- The AbortNewAccount hook should be run
- IP throttle needs to be checked
- Make sure the email passes Sanitizer::validateEmail()
Thanks!
Version: master
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=56660
https://bugzilla.wikimedia.org/show_bug.cgi?id=46617