The bug was discovered by scanning the source code with a custom utility designed to detect instances where variables were incorrectly included in strings, as was the case in 0037250.

The mention_api.php file, line 81:

    static $s_pattern = null;
    if( $s_pattern === null ) {
        $t_quoted_tag = preg_quote( mentions_tag() );
        $s_pattern = '/(?:'
            # Negative lookbehind to ensure we have whitespace or start of
            # string before the tag - ensures we don't match a tag in the
            # middle of a word (e.g. e-mail address)
            . '(?<=^|[^\w])'
            # Negative lookbehind  to ensure we don't match multiple tags
            . '(?<!' . $t_quoted_tag . ')' . $t_quoted_tag
            . ')'
            # any word char, dash or period, must end with word char
            . '([\w\-.]*[\w])'
            # Lookforward to ensure next char is not a valid mention char or
            # the end of the string, or the mention tag
            . '(?=[^\w@]|$)'
            . '(?!$t_quoted_tag)' <---
            . '/';
    }

The interesting thing is that there are tests for this feature in MentionParsingTest.php, but the test doesn't cover this case, likely due to a typo in the test:

            'MentionAtEndOfWord' => array(
                "vboctor@",
                array()
            ),

Most likely, the tag should be at the beginning of the line too, like this:

            'MentionAtEndOfWord' => array(
                "@vboctor@",
                array()
            ),

But the most interesting thing is that even if you fix the test, it will continue to return a false positive! This happens because the test uses the “@” character (by default), and this character is matched by another part of the regular expression (?=[^\w@]|$), which is designed to isolate email addresses. And if you replace “@” in the test with any other character, such as “*”, the test will finally fail correctly.