From f9a86b01c975b4863fd7c9bc039353a5b8753f3c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Gerg=C5=91=20Tisza?= <gtisza@wikimedia.org>
Date: Tue, 15 Nov 2016 02:27:02 +0000
Subject: [PATCH] Fix SpecialPasswordResetOnSubmit parameter handling

Special:PasswordReset will take either the username or the email
into account but never both. Reflect this in the way parameters
are passed to the hook.

This also makes sure hook handlers never receive an unsanitized
email address.

Change-Id: I8d3b3d81e0cd5f92e5cd0a866a16695638610592
---
 includes/user/PasswordReset.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/includes/user/PasswordReset.php b/includes/user/PasswordReset.php
index 889ec92b42..e023744b93 100644
--- a/includes/user/PasswordReset.php
+++ b/includes/user/PasswordReset.php
@@ -134,12 +134,14 @@ class PasswordReset {
 		if ( $resetRoutes['username'] && $username ) {
 			$method = 'username';
 			$users = [ User::newFromName( $username ) ];
+			$email = null;
 		} elseif ( $resetRoutes['email'] && $email ) {
 			if ( !Sanitizer::validateEmail( $email ) ) {
 				return StatusValue::newFatal( 'passwordreset-invalidemail' );
 			}
 			$method = 'email';
 			$users = $this->getUsersByEmail( $email );
+			$username = null;
 		} else {
 			// The user didn't supply any data
 			return StatusValue::newFatal( 'passwordreset-nodata' );
-- 
2.20.1