SECURITY: Fix leak of hidden usernames via autoblocks of those users

CVE-2025-6927

In BlockListPager, restore the bl_deleted=0 condition removed in the
previous commit. Add tests.

Bug: T397595
Change-Id: I5471fe615d222b936c6668bf3089dd8b5931cc75

includes/specials/pagers/BlockListPager.php

@@ -492,6 +492,7 @@ class BlockListPager extends TablePager {
 				'block_target.bt_user',
 				HideUserUtils::SHOWN_USERS
 			);
+			$info['conds']['bl_deleted'] = 0;
 		}
 		return $info;
 	}

tests/phpunit/includes/specials/pagers/BlockListPagerTest.php

@@ -366,6 +366,45 @@ class BlockListPagerTest extends MediaWikiIntegrationTestCase {
 		$this->assertTrue( true );
 	}
 
+	/**
+	 * T385765 regression test
+	 * @coversNothing
+	 */
+	public function testAutoblockLeak() {
+		$sysop = $this->getTestSysop()->getUserIdentity();
+		$this->overrideConfigValue( MainConfigNames::UseCodexSpecialBlock, true );
+		// Enable block links
+		RequestContext::getMain()->setAuthority( new UltimateAuthority( $sysop ) );
+		// Don't localise
+		RequestContext::getMain()->setLanguage( 'qqx' );
+		// Create autoblock
+		$addr = '127.0.0.1';
+		$this->getServiceContainer()->getDatabaseBlockStore()
+			->insertBlockWithParams( [
+				'address' => $addr,
+				'auto' => true,
+				'by' => $sysop
+			] );
+		// Run the pager over all blocks (there should only be one)
+		$pager = $this->getBlockListPager();
+		$body = $pager->getBody();
+		// Check that we managed to generate a remove link
+		$this->assertStringContainsString( '(remove-blocklink)', $body );
+		// Check that we didn't leak the IP address into it
+		$this->assertStringNotContainsString( $addr, $body );
+	}
+
+	/**
+	 * @param string $expected
+	 * @param string $actual
+	 */
+	private function assertStringNotContainsStringIgnoringPunctuation( $expected, $actual ) {
+		$this->assertStringNotContainsString( $expected, $actual );
+		// Fail even if punctuation in the name was replaced
+		$regex = '/' . preg_replace( '/[^A-Za-z0-9]+/', '.+', $expected ) . '/';
+		$this->assertDoesNotMatchRegularExpression( $regex, $actual );
+	}
+
 	/**
 	 * T391343 regression test
 	 * @coversNothing
@@ -392,9 +431,26 @@ class BlockListPagerTest extends MediaWikiIntegrationTestCase {
 
 		$pager = $this->getBlockListPager();
 		$body = $pager->getBody();
-		$this->assertStringNotContainsString( $user->getName(), $body );
-		// Fail even if punctuation in the name was replaced
-		$regex = '/' . preg_replace( '/[^A-Za-z0-9]+/', '.+', $user->getName() ) . '/';
-		$this->assertDoesNotMatchRegularExpression( $regex, $body );
+		$this->assertStringNotContainsStringIgnoringPunctuation( $user->getName(), $body );
+	}
+
+	/**
+	 * T397595 regression test
+	 * @coversNothing
+	 */
+	public function testAutoblockSuppression() {
+		$user = $this->getTestUser()->getUserIdentity();
+		$store = $this->getServiceContainer()->getDatabaseBlockStore();
+		$block = $store->insertBlockWithParams( [
+			'targetUser' => $user,
+			'by' => $this->getTestSysop()->getUser(),
+			'hideName' => true,
+			'enableAutoblock' => true,
+		] );
+		$store->doAutoblock( $block, '127.0.0.42' );
+
+		$pager = $this->getBlockListPager();
+		$body = $pager->getBody();
+		$this->assertStringNotContainsStringIgnoringPunctuation( $user->getName(), $body );
 	}
 }