Re: Avoid leaking system path from pg_available_extensions

Chao Li Tue, 19 May 2026 18:08:49 -0700


> On May 20, 2026, at 09:00, Chao Li <[email protected]> wrote:
> 
> Hi,
> 
> I just tested “Add paths of extensions to pg_available_extensions”, and found 
> an issue.
> 
> This is a simple repro:
> ```
> evantest=# reset extension_control_path;
> RESET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
>  name   | default_version | installed_version | location |           comment
> ---------+-----------------+-------------------+----------+------------------------------
> plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL 
> procedural language
> (1 row)
> 
> evantest=# set extension_control_path='';
> SET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
>  name   | default_version | installed_version |             location          
>    |           comment
> ---------+-----------------+-------------------+----------------------------------+------------------------------
> plpgsql | 1.0             | 1.0               | 
> /usr/local/pgsql/share/extension | PL/pgSQL procedural language
> (1 row)
> ```
> 
> When extension_control_path is not set, location shows “$system", which is 
> consistent with what the documentation says:
> ```
>       <para>
>        The default value for this parameter is
>        <literal>'$system'</literal>. If the value is set to an empty
>        string, the default <literal>'$system'</literal> is also assumed.
>       </para>
> ```
> 
> However, as shown above, when I set extension_control_path to an empty 
> string, the absolute system path is displayed. I consider this an information 
> leakage bug.
> 
> The fix is straightforward; see the attached patch for details. After the 
> fix, when extension_control_path is an empty string, location shows “$system” 
> now:
> ```
> evantest=# set extension_control_path='';
> SET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
>  name   | default_version | installed_version | location |           comment
> ---------+-----------------+-------------------+----------+------------------------------
> plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL 
> procedural language
> (1 row)
> ```
> 
> Best regards,
> --
> Chao Li (Evan)
> HighGo Software Co., Ltd.
> https://www.highgo.com/
> 
> 
> 
>


Oops, forgot the attachment. Here comes it.

Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/

v1-0001-Avoid-leaking-system-path-from-pg_available_exten.patch
Description: Binary data

Re: Avoid leaking system path from pg_available_extensions

Reply via email to