Avoid leaking system path from pg_available_extensions

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Chao Li <[email protected]>
To: PostgreSQL-development <[email protected]>
Cc: Andrew Dunstan <[email protected]>
Cc: Matheus Alcantara <[email protected]>
Subject: Avoid leaking system path from pg_available_extensions
Date: Wed, 20 May 2026 09:00:29 +0800
Message-ID: <[email protected]> (raw)

Hi,

I just tested “Add paths of extensions to pg_available_extensions”, and found an issue.

This is a simple repro:
```
evantest=# reset extension_control_path;
RESET
evantest=# select * from pg_available_extensions where name = 'plpgsql';
  name   | default_version | installed_version | location |           comment
---------+-----------------+-------------------+----------+------------------------------
 plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL procedural language
(1 row)

evantest=# set extension_control_path='';
SET
evantest=# select * from pg_available_extensions where name = 'plpgsql';
  name   | default_version | installed_version |             location             |           comment
---------+-----------------+-------------------+----------------------------------+------------------------------
 plpgsql | 1.0             | 1.0               | /usr/local/pgsql/share/extension | PL/pgSQL procedural language
(1 row)
```

When extension_control_path is not set, location shows “$system", which is consistent with what the documentation says:
```
       <para>
        The default value for this parameter is
        <literal>'$system'</literal>. If the value is set to an empty
        string, the default <literal>'$system'</literal> is also assumed.
       </para>
```

However, as shown above, when I set extension_control_path to an empty string, the absolute system path is displayed. I consider this an information leakage bug.

The fix is straightforward; see the attached patch for details. After the fix, when extension_control_path is an empty string, location shows “$system” now:
```
evantest=# set extension_control_path='';
SET
evantest=# select * from pg_available_extensions where name = 'plpgsql';
  name   | default_version | installed_version | location |           comment
---------+-----------------+-------------------+----------+------------------------------
 plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL procedural language
(1 row)
```

Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/

view thread (11+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Avoid leaking system path from pg_available_extensions
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox