SECURITY: DifferenceEngine: hide diff-multi-sameuser message for supr…

…essed revisions

CVE-2023-PENDING

reduce the edit count if a user for a given revision is suppress-deleted

Bug: T341529
Change-Id: I79539464cf3500065cb4f42e1542ff5feec31395

includes/diff/DifferenceEngine.php

@@ -1675,12 +1675,22 @@ public function getMultiNotice() {
 
 		// Don't show the notice if too many rows must be scanned
 		// @todo show some special message for that case
-		$nEdits = $this->revisionStore->countRevisionsBetween(
+		$nEdits = 0;
+		$revisionIdList = $this->revisionStore->getRevisionIdsBetween(
 			$this->mNewPage->getArticleID(),
 			$oldRevRecord,
 			$newRevRecord,
 			1000
 		);
+		// only count revisions that are visible
+		if ( count( $revisionIdList ) > 0 ) {
+			foreach ( $revisionIdList as $revisionId ) {
+				$revision = $this->revisionStore->getRevisionById( $revisionId );
+				if ( $revision->getUser( RevisionRecord::FOR_THIS_USER, $this->getAuthority() ) ) {
+					$nEdits++;
+				}
+			}
+		}
 		if ( $nEdits > 0 && $nEdits <= 1000 ) {
 			// Use an invalid username to get the wiki's default gender (as fallback)
 			$newRevUserForGender = '[HIDDEN]';