From 3a5f9f0a563b424bb4c07d58db978a76b6ec59bc Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Mon, 14 Nov 2022 21:39:18 +0000
Subject: [PATCH 1/2] gh-87604: Avoid publishing list of active per-interpreter
 audit hooks via the gc module (GH-99373)

---
 Lib/test/audit-tests.py                               | 11 +++++++++++
 Lib/test/test_audit.py                                |  5 +++++
 .../2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst     |  2 ++
 Python/sysmodule.c                                    |  2 ++
 4 files changed, 20 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst

diff --git a/Lib/test/audit-tests.py b/Lib/test/audit-tests.py
index 95216bcc48253c..6de636a9e9dc6a 100644
--- a/Lib/test/audit-tests.py
+++ b/Lib/test/audit-tests.py
@@ -368,6 +368,17 @@ def hook(event, args):
     gc.get_referents(y)
 
 
+def test_not_in_gc():
+    import gc
+
+    hook = lambda *a: None
+    sys.addaudithook(hook)
+
+    for o in gc.get_objects():
+        if isinstance(o, list):
+            assert hook not in o
+
+
 if __name__ == "__main__":
     from test.support import suppress_msvcrt_asserts
 
diff --git a/Lib/test/test_audit.py b/Lib/test/test_audit.py
index 387a31229a2f16..e47e5569c2b914 100644
--- a/Lib/test/test_audit.py
+++ b/Lib/test/test_audit.py
@@ -132,6 +132,11 @@ def test_gc(self):
             ["gc.get_objects", "gc.get_referrers", "gc.get_referents"]
         )
 
+    def test_not_in_gc(self):
+        returncode, _, stderr = self.run_python("test_not_in_gc")
+        if returncode:
+            self.fail(stderr)
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst b/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
new file mode 100644
index 00000000000000..c931409b817122
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
@@ -0,0 +1,2 @@
+Avoid publishing list of active per-interpreter audit hooks via the
+:mod:`gc` module
diff --git a/Python/sysmodule.c b/Python/sysmodule.c
index 8efa850dce6fc3..4ef3227b16c4c3 100644
--- a/Python/sysmodule.c
+++ b/Python/sysmodule.c
@@ -440,6 +440,8 @@ sys_addaudithook_impl(PyObject *module, PyObject *hook)
         if (is->audit_hooks == NULL) {
             return NULL;
         }
+        /* Avoid having our list of hooks show up in the GC module */
+        PyObject_GC_UnTrack(interp->audit_hooks);
     }
 
     if (PyList_Append(is->audit_hooks, hook) < 0) {

From 9fd2fae92b17b39e574b8bda165fcb664a3168ef Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Mon, 14 Nov 2022 22:19:05 +0000
Subject: [PATCH 2/2] Fix variable name

---
 Python/sysmodule.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Python/sysmodule.c b/Python/sysmodule.c
index 4ef3227b16c4c3..a8f2f021c3260a 100644
--- a/Python/sysmodule.c
+++ b/Python/sysmodule.c
@@ -441,7 +441,7 @@ sys_addaudithook_impl(PyObject *module, PyObject *hook)
             return NULL;
         }
         /* Avoid having our list of hooks show up in the GC module */
-        PyObject_GC_UnTrack(interp->audit_hooks);
+        PyObject_GC_UnTrack(is->audit_hooks);
     }
 
     if (PyList_Append(is->audit_hooks, hook) < 0) {

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99493.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99493.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99493.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99493.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>