There is a problem with hidden abusefilters, for example: this filter is actually not hidden: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/3, but older versions are hidden, for example, the last hidden version: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/history/3/item/40, without sysop rights not visible. The version after this is not hidden, so visible for all users: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/history/3/item/42. The problem now is, that the difference is visible for all users: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/history/3/diff/prev/42, and also the difference beetween hidden versions: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/history/3/diff/prev/40, so non sysops can construct the hidden version, thats the problem.
|mediawiki/extensions/AbuseFilter : REL1_32||SECURITY: Check visibility for each version in ViewDiff|
|mediawiki/extensions/AbuseFilter : REL1_31||SECURITY: Check visibility for each version in ViewDiff|
|mediawiki/extensions/AbuseFilter : REL1_33||SECURITY: Check visibility for each version in ViewDiff|
|mediawiki/extensions/AbuseFilter : REL1_34||SECURITY: Check visibility for each version in ViewDiff|
|mediawiki/extensions/AbuseFilter : master||SECURITY: Check visibility for each version in ViewDiff|
A piece was missed there, which I restored in the patch below. Plus: use canViewPrivate everywhere, order by afh_id in a query, and add a @todo about caching for when the code will be public.
I wouldn't be too sure about that (e.g. throttle params are a bit sensitive), but I agree that it's probably fine not to hide them. Anyway, we can think about it once the code is public.
Note: when viewing the diff right before the hidden version, you'll still see a "newer change" button at the bottom; clicking it will just tell you that you cannot see the revision. I guess we can make it disappear in a follow-up.
I'm not seeing anything on the task that would prevent it from being made public. And given that it's for a non-bundled extension, we don't have to hold the task for a mediawiki security release or anything like that. The new announcements I've been trying to do (e.g. T234983) are designed to occur after backports and any other public disclosure (CVE, etc.)
Backports for master and REL1_34 were merged, CVE requested. It appears that for the other supported release branches (1.31, 1.32, 1.33) it's just an issue of line differences for the patch. I'll try to get some additional patches uploaded to gerrit for these branches. @Daimona - would you be able to review those just in case the patch isn't relevant? (I think it still is - whoops, it's not.)
FTR: I've updated the backports for 1.31, 32, and 33 to avoid using AbuseFilter::canViewPrivate (introduced in 1.34). For the 1.31 one, I also had to upgrade PHPCS to 19.1.0 (and disable a new sniff) because older versions fail on PHP7.3 (T233759).