From fb371b410adbc2ac645ab36a6c19faf233b269d5 Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Mon, 21 Nov 2022 18:13:33 +0000
Subject: [PATCH] [3.9] gh-87604: Avoid publishing list of active
 per-interpreter audit hooks via the gc module (GH-99373) (GH-99493) (cherry
 picked from commit 7b98207aa46bd637d07a7c4a84e998726b74acde)

Co-authored-by: Steve Dower <steve.dower@python.org>
---
 Lib/test/audit-tests.py                               | 11 +++++++++++
 Lib/test/test_audit.py                                |  5 +++++
 .../2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst     |  2 ++
 Python/sysmodule.c                                    |  2 ++
 4 files changed, 20 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst

diff --git a/Lib/test/audit-tests.py b/Lib/test/audit-tests.py
index 8e66594e52429b..45cd0d12c6509f 100644
--- a/Lib/test/audit-tests.py
+++ b/Lib/test/audit-tests.py
@@ -341,6 +341,17 @@ def hook(event, args):
     gc.get_referents(y)
 
 
+def test_not_in_gc():
+    import gc
+
+    hook = lambda *a: None
+    sys.addaudithook(hook)
+
+    for o in gc.get_objects():
+        if isinstance(o, list):
+            assert hook not in o
+
+
 if __name__ == "__main__":
     from test.support import suppress_msvcrt_asserts
 
diff --git a/Lib/test/test_audit.py b/Lib/test/test_audit.py
index a9ac6fee446f87..fe3d0e0eaea51f 100644
--- a/Lib/test/test_audit.py
+++ b/Lib/test/test_audit.py
@@ -127,6 +127,11 @@ def test_gc(self):
             ["gc.get_objects", "gc.get_referrers", "gc.get_referents"]
         )
 
+    def test_not_in_gc(self):
+        returncode, _, stderr = self.run_python("test_not_in_gc")
+        if returncode:
+            self.fail(stderr)
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst b/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
new file mode 100644
index 00000000000000..c931409b817122
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
@@ -0,0 +1,2 @@
+Avoid publishing list of active per-interpreter audit hooks via the
+:mod:`gc` module
diff --git a/Python/sysmodule.c b/Python/sysmodule.c
index ffda71446712cc..eb3245a33298cd 100644
--- a/Python/sysmodule.c
+++ b/Python/sysmodule.c
@@ -356,6 +356,8 @@ sys_addaudithook_impl(PyObject *module, PyObject *hook)
         if (is->audit_hooks == NULL) {
             return NULL;
         }
+        /* Avoid having our list of hooks show up in the GC module */
+        PyObject_GC_UnTrack(is->audit_hooks);
     }
 
     if (PyList_Append(is->audit_hooks, hook) < 0) {

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99661.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99661.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99661.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/python/cpython/pull/99661.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>