From e60ced7f7ce69e57a4b8f25ae09973e7697f5ba0 Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Mon, 14 Nov 2022 21:39:18 +0000
Subject: [PATCH] gh-87604: Avoid publishing list of active per-interpreter
 audit hooks via the gc module (GH-99373) (cherry picked from commit
 4e4b13e8f6211abbc0d53056da11357756daa314)

Co-authored-by: Steve Dower <steve.dower@python.org>
---
 Lib/test/audit-tests.py                               | 11 +++++++++++
 Lib/test/test_audit.py                                |  5 +++++
 .../2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst     |  2 ++
 Python/sysmodule.c                                    |  2 ++
 4 files changed, 20 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst

diff --git a/Lib/test/audit-tests.py b/Lib/test/audit-tests.py
index fea2f217749484..e7f8a945c1a9af 100644
--- a/Lib/test/audit-tests.py
+++ b/Lib/test/audit-tests.py
@@ -440,6 +440,17 @@ def hook(event, args):
     syslog.closelog()
 
 
+def test_not_in_gc():
+    import gc
+
+    hook = lambda *a: None
+    sys.addaudithook(hook)
+
+    for o in gc.get_objects():
+        if isinstance(o, list):
+            assert hook not in o
+
+
 if __name__ == "__main__":
     from test.support import suppress_msvcrt_asserts
 
diff --git a/Lib/test/test_audit.py b/Lib/test/test_audit.py
index 7cfb1d0d44f71d..75e96f069d8c27 100644
--- a/Lib/test/test_audit.py
+++ b/Lib/test/test_audit.py
@@ -209,6 +209,11 @@ def test_syslog(self):
             ('syslog.closelog', '', '')]
         )
 
+    def test_not_in_gc(self):
+        returncode, _, stderr = self.run_python("test_not_in_gc")
+        if returncode:
+            self.fail(stderr)
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst b/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
new file mode 100644
index 00000000000000..c931409b817122
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
@@ -0,0 +1,2 @@
+Avoid publishing list of active per-interpreter audit hooks via the
+:mod:`gc` module
diff --git a/Python/sysmodule.c b/Python/sysmodule.c
index 6f703e30050080..0ecfd77ba14c97 100644
--- a/Python/sysmodule.c
+++ b/Python/sysmodule.c
@@ -440,6 +440,8 @@ sys_addaudithook_impl(PyObject *module, PyObject *hook)
         if (interp->audit_hooks == NULL) {
             return NULL;
         }
+        /* Avoid having our list of hooks show up in the GC module */
+        PyObject_GC_UnTrack(interp->audit_hooks);
     }
 
     if (PyList_Append(interp->audit_hooks, hook) < 0) {

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99491.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99491.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99491.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99491.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>