From 9523569a4e2fef6ea0452ba33b4ed8b3b27ea0c0 Mon Sep 17 00:00:00 2001
From: Daimona Eaytoy <daimona.wiki@gmail.com>
Date: Mon, 8 Feb 2021 17:34:19 +0100
Subject: [PATCH] SECURITY: Remove deleted rows from /examine and /test

This is kind of a nuclear option, if anything in a row is hidden, we
hide the whole row. This is just to keep this patch slim. A public
follow-up will adjust the visibility

Bug: T274152
Change-Id: I07f04c2d3225cf653d67a6badda270074d432ed2
---
 includes/Pager/AbuseFilterExaminePager.php | 3 ++-
 includes/View/AbuseFilterView.php          | 8 ++++++++
 includes/View/AbuseFilterViewTestBatch.php | 1 +
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/includes/Pager/AbuseFilterExaminePager.php b/includes/Pager/AbuseFilterExaminePager.php
index 1d32a8b1..e1e0788a 100644
--- a/includes/Pager/AbuseFilterExaminePager.php
+++ b/includes/Pager/AbuseFilterExaminePager.php
@@ -59,12 +59,13 @@ class AbuseFilterExaminePager extends ReverseChronologicalPager {
 		}
 
 		$conds[] = $this->mPage->buildTestConditions( $dbr );
+		$conds = array_merge( $conds, $this->mPage->buildVisibilityConditions() );
 
 		$rcQuery = RecentChange::getQueryInfo();
 		$info = [
 			'tables' => $rcQuery['tables'],
 			'fields' => $rcQuery['fields'],
-			'conds' => array_filter( $conds ),
+			'conds' => $conds,
 			'join_conds' => $rcQuery['joins'],
 		];
 
diff --git a/includes/View/AbuseFilterView.php b/includes/View/AbuseFilterView.php
index 72e93178..b5adc553 100644
--- a/includes/View/AbuseFilterView.php
+++ b/includes/View/AbuseFilterView.php
@@ -183,6 +183,14 @@ abstract class AbuseFilterView extends ContextSource {
 		], LIST_OR );
 	}
 
+	/**
+	 * @todo Check what the user can actually see and use a proper bitmask. Core should provide such a method though.
+	 * @return array
+	 */
+	public function buildVisibilityConditions() : array {
+		return [ 'rc_deleted' => 0 ];
+	}
+
 	/**
 	 * @param string|int $id
 	 * @param string|null $text
diff --git a/includes/View/AbuseFilterViewTestBatch.php b/includes/View/AbuseFilterViewTestBatch.php
index 487a8ec0..e4236285 100644
--- a/includes/View/AbuseFilterViewTestBatch.php
+++ b/includes/View/AbuseFilterViewTestBatch.php
@@ -254,6 +254,7 @@ class AbuseFilterViewTestBatch extends AbuseFilterView {
 
 		$action = $this->mTestAction !== '0' ? $this->mTestAction : false;
 		$conds[] = $this->buildTestConditions( $dbr, $action );
+		$conds = array_merge( $conds, $this->buildVisibilityConditions() );
 
 		// Get our ChangesList
 		$changesList = new AbuseFilterChangesList( $this->getSkin(), $this->testPattern );