Avoid leaking system path from pg_available_extensions

public inbox for pgsql-hackers@postgresql.org  
help / color / mirror / Atom feed

From: Chao Li <li.evan.chao@gmail.com>
To: PostgreSQL-development <pgsql-hackers@postgresql.org>
Cc: Andrew Dunstan <andrew@dunslane.net>
Cc: Matheus Alcantara <matheusssilv97@gmail.com>
Subject: Avoid leaking system path from pg_available_extensions
Date: Wed, 20 May 2026 09:00:29 +0800
Message-ID: <357C774A-ECE9-4455-B641-315205D4D9A1@gmail.com> (raw)

Hi,

I just tested “Add paths of extensions to pg_available_extensions”, and found an issue.

This is a simple repro:
```
evantest=# reset extension_control_path;
RESET
evantest=# select * from pg_available_extensions where name = 'plpgsql';
  name   | default_version | installed_version | location |           comment
---------+-----------------+-------------------+----------+------------------------------
 plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL procedural language
(1 row)

evantest=# set extension_control_path='';
SET
evantest=# select * from pg_available_extensions where name = 'plpgsql';
  name   | default_version | installed_version |             location             |           comment
---------+-----------------+-------------------+----------------------------------+------------------------------
 plpgsql | 1.0             | 1.0               | /usr/local/pgsql/share/extension | PL/pgSQL procedural language
(1 row)
```

When extension_control_path is not set, location shows “$system", which is consistent with what the documentation says:
```
       <para>
        The default value for this parameter is
        <literal>'$system'</literal>. If the value is set to an empty
        string, the default <literal>'$system'</literal> is also assumed.
       </para>
```

However, as shown above, when I set extension_control_path to an empty string, the absolute system path is displayed. I consider this an information leakage bug.

The fix is straightforward; see the attached patch for details. After the fix, when extension_control_path is an empty string, location shows “$system” now:
```
evantest=# set extension_control_path='';
SET
evantest=# select * from pg_available_extensions where name = 'plpgsql';
  name   | default_version | installed_version | location |           comment
---------+-----------------+-------------------+----------+------------------------------
 plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL procedural language
(1 row)
```

Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: pgsql-hackers@postgresql.org
  Cc: li.evan.chao@gmail.com, andrew@dunslane.net, matheusssilv97@gmail.com
  Subject: Re: Avoid leaking system path from pg_available_extensions
  In-Reply-To: <357C774A-ECE9-4455-B641-315205D4D9A1@gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox