Re: Avoid leaking system path from pg_available_extensions

public inbox for pgsql-hackers@postgresql.org  
help / color / mirror / Atom feed

From: Matheus Alcantara <matheusssilv97@gmail.com>
To: Chao Li <li.evan.chao@gmail.com>
To: PostgreSQL-development <pgsql-hackers@postgresql.org>
Cc: Andrew Dunstan <andrew@dunslane.net>
Subject: Re: Avoid leaking system path from pg_available_extensions
Date: Thu, 21 May 2026 12:12:56 -0300
Message-ID: <96203151-6929-4d88-85a0-d552ee258a24@gmail.com> (raw)
In-Reply-To: <357C774A-ECE9-4455-B641-315205D4D9A1@gmail.com>
References: <357C774A-ECE9-4455-B641-315205D4D9A1@gmail.com>

On 19/05/26 22:00, Chao Li wrote:
> I just tested “Add paths of extensions to pg_available_extensions”, and found an issue.
> 
> This is a simple repro:
> ```
> evantest=# reset extension_control_path;
> RESET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
>    name   | default_version | installed_version | location |           comment
> ---------+-----------------+-------------------+----------+------------------------------
>   plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL procedural language
> (1 row)
> 
> evantest=# set extension_control_path='';
> SET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
>    name   | default_version | installed_version |             location             |           comment
> ---------+-----------------+-------------------+----------------------------------+------------------------------
>   plpgsql | 1.0             | 1.0               | /usr/local/pgsql/share/extension | PL/pgSQL procedural language
> (1 row)
> ```
> 
> When extension_control_path is not set, location shows “$system", which is consistent with what the documentation says:
> ```
>         <para>
>          The default value for this parameter is
>          <literal>'$system'</literal>. If the value is set to an empty
>          string, the default <literal>'$system'</literal> is also assumed.
>         </para>
> ```
> 
> However, as shown above, when I set extension_control_path to an empty string, the absolute system path is displayed. I consider this an information leakage bug.
> 
> The fix is straightforward; see the attached patch for details. After the fix, when extension_control_path is an empty string, location shows “$system” now:
> ```
> evantest=# set extension_control_path='';
> SET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
>    name   | default_version | installed_version | location |           comment
> ---------+-----------------+-------------------+----------+------------------------------
>   plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL procedural language
> (1 row)
> ```
> 

Hi, thank you for sharing the bug with the fix.

I've reproduced the issue and the fix looks correct to me.

--
Matheus Alcantara
EDB: https://www.enterprisedb.com

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: pgsql-hackers@postgresql.org
  Cc: matheusssilv97@gmail.com, li.evan.chao@gmail.com, andrew@dunslane.net
  Subject: Re: Avoid leaking system path from pg_available_extensions
  In-Reply-To: <96203151-6929-4d88-85a0-d552ee258a24@gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox