leak references for safety in PyWeakRefMethods::upgrade_borrowed (#4590)

* Add PyWeakref_GetRef and use it in weakref wrappers. (#4528)

* deprecate weakref methods that return borrowed references

---------

Co-authored-by: Nathan Goldbaum <[email protected]>

Author: davidhewitt

newsfragments/4528.added.md

@@ -0,0 +1,2 @@
+* Added bindings for `pyo3_ffi::PyWeakref_GetRef` on Python 3.13 and newer and
+  `py03_ffi::compat::PyWeakref_GetRef` for older Python versions.

newsfragments/4590.changed.md

@@ -0,0 +1 @@
+* Deprecate `_borrowed` methods on `PyWeakRef` and `PyWeakrefProxy` (just use the owning forms).

newsfragments/4590.fixed.md

@@ -0,0 +1 @@
+* Workaround possible use-after-free in `_borrowed` methods on `PyWeakRef` and `PyWeakrefProxy` by leaking their contents.

pyo3-ffi/src/compat/py_3_13.rs

@@ -37,3 +37,36 @@ compat_function!(
         item
     }
 );
+
+compat_function!(
+    originally_defined_for(Py_3_13);
+
+    #[inline]
+    pub unsafe fn PyWeakref_GetRef(
+        reference: *mut crate::PyObject,
+        pobj: *mut *mut crate::PyObject,
+    ) -> std::os::raw::c_int {
+        use crate::{
+            compat::Py_NewRef, PyErr_SetString, PyExc_TypeError, PyWeakref_Check,
+            PyWeakref_GetObject, Py_None,
+        };
+
+        if !reference.is_null() && PyWeakref_Check(reference) == 0 {
+            *pobj = std::ptr::null_mut();
+            PyErr_SetString(PyExc_TypeError, c_str!("expected a weakref").as_ptr());
+            return -1;
+        }
+        let obj = PyWeakref_GetObject(reference);
+        if obj.is_null() {
+            // SystemError if reference is NULL
+            *pobj = std::ptr::null_mut();
+            return -1;
+        }
+        if obj == Py_None() {
+            *pobj = std::ptr::null_mut();
+            return 0;
+        }
+        *pobj = Py_NewRef(obj);
+        1
+    }
+);

pyo3-ffi/src/weakrefobject.rs

@@ -58,5 +58,12 @@ extern "C" {
     #[cfg_attr(PyPy, link_name = "PyPyWeakref_NewProxy")]
     pub fn PyWeakref_NewProxy(ob: *mut PyObject, callback: *mut PyObject) -> *mut PyObject;
     #[cfg_attr(PyPy, link_name = "PyPyWeakref_GetObject")]
-    pub fn PyWeakref_GetObject(_ref: *mut PyObject) -> *mut PyObject;
+    #[cfg_attr(
+        Py_3_13,
+        deprecated(note = "deprecated since Python 3.13. Use `PyWeakref_GetRef` instead.")
+    )]
+    pub fn PyWeakref_GetObject(reference: *mut PyObject) -> *mut PyObject;
+    #[cfg(Py_3_13)]
+    #[cfg_attr(PyPy, link_name = "PyPyWeakref_GetRef")]
+    pub fn PyWeakref_GetRef(reference: *mut PyObject, pobj: *mut *mut PyObject) -> c_int;
 }