public inbox for [email protected]
help / color / mirror / Atom feedAvoid leaking system path from pg_available_extensions
7+ messages / 4 participants
[nested] [flat]
* Avoid leaking system path from pg_available_extensions
@ 2026-05-20 01:00 Chao Li <[email protected]>
0 siblings, 2 replies; 7+ messages in thread
From: Chao Li @ 2026-05-20 01:00 UTC (permalink / raw)
To: pgsql-hackers; +Cc: Andrew Dunstan <[email protected]>; Matheus Alcantara <[email protected]>
Hi,
I just tested “Add paths of extensions to pg_available_extensions”, and found an issue.
This is a simple repro:
```
evantest=# reset extension_control_path;
RESET
evantest=# select * from pg_available_extensions where name = 'plpgsql';
name | default_version | installed_version | location | comment
---------+-----------------+-------------------+----------+------------------------------
plpgsql | 1.0 | 1.0 | $system | PL/pgSQL procedural language
(1 row)
evantest=# set extension_control_path='';
SET
evantest=# select * from pg_available_extensions where name = 'plpgsql';
name | default_version | installed_version | location | comment
---------+-----------------+-------------------+----------------------------------+------------------------------
plpgsql | 1.0 | 1.0 | /usr/local/pgsql/share/extension | PL/pgSQL procedural language
(1 row)
```
When extension_control_path is not set, location shows “$system", which is consistent with what the documentation says:
```
<para>
The default value for this parameter is
<literal>'$system'</literal>. If the value is set to an empty
string, the default <literal>'$system'</literal> is also assumed.
</para>
```
However, as shown above, when I set extension_control_path to an empty string, the absolute system path is displayed. I consider this an information leakage bug.
The fix is straightforward; see the attached patch for details. After the fix, when extension_control_path is an empty string, location shows “$system” now:
```
evantest=# set extension_control_path='';
SET
evantest=# select * from pg_available_extensions where name = 'plpgsql';
name | default_version | installed_version | location | comment
---------+-----------------+-------------------+----------+------------------------------
plpgsql | 1.0 | 1.0 | $system | PL/pgSQL procedural language
(1 row)
```
Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/
^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: Avoid leaking system path from pg_available_extensions
@ 2026-05-20 01:07 Chao Li <[email protected]>
parent: Chao Li <[email protected]>
1 sibling, 1 reply; 7+ messages in thread
From: Chao Li @ 2026-05-20 01:07 UTC (permalink / raw)
To: pgsql-hackers; +Cc: Andrew Dunstan <[email protected]>; Matheus Alcantara <[email protected]>
> On May 20, 2026, at 09:00, Chao Li <[email protected]> wrote:
>
> Hi,
>
> I just tested “Add paths of extensions to pg_available_extensions”, and found an issue.
>
> This is a simple repro:
> ```
> evantest=# reset extension_control_path;
> RESET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
> name | default_version | installed_version | location | comment
> ---------+-----------------+-------------------+----------+------------------------------
> plpgsql | 1.0 | 1.0 | $system | PL/pgSQL procedural language
> (1 row)
>
> evantest=# set extension_control_path='';
> SET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
> name | default_version | installed_version | location | comment
> ---------+-----------------+-------------------+----------------------------------+------------------------------
> plpgsql | 1.0 | 1.0 | /usr/local/pgsql/share/extension | PL/pgSQL procedural language
> (1 row)
> ```
>
> When extension_control_path is not set, location shows “$system", which is consistent with what the documentation says:
> ```
> <para>
> The default value for this parameter is
> <literal>'$system'</literal>. If the value is set to an empty
> string, the default <literal>'$system'</literal> is also assumed.
> </para>
> ```
>
> However, as shown above, when I set extension_control_path to an empty string, the absolute system path is displayed. I consider this an information leakage bug.
>
> The fix is straightforward; see the attached patch for details. After the fix, when extension_control_path is an empty string, location shows “$system” now:
> ```
> evantest=# set extension_control_path='';
> SET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
> name | default_version | installed_version | location | comment
> ---------+-----------------+-------------------+----------+------------------------------
> plpgsql | 1.0 | 1.0 | $system | PL/pgSQL procedural language
> (1 row)
> ```
>
> Best regards,
> --
> Chao Li (Evan)
> HighGo Software Co., Ltd.
> https://www.highgo.com/
>
>
>
>
Oops, forgot the attachment. Here comes it.
Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/
Attachments:
[application/octet-stream] v1-0001-Avoid-leaking-system-path-from-pg_available_exten.patch (2.6K, 2-v1-0001-Avoid-leaking-system-path-from-pg_available_exten.patch)
download | inline diff:
From 0f9398b34a5484edbb93cb7771d6204bb37b6f7c Mon Sep 17 00:00:00 2001
From: "Chao Li (Evan)" <[email protected]>
Date: Wed, 20 May 2026 08:49:15 +0800
Subject: [PATCH v1] Avoid leaking system path from pg_available_extensions
The documentation says that when extension_control_path is set to an
empty string, the default '$system' path is still assumed. However,
get_extension_control_directories() added the system extension directory
with a NULL macro in that case. As a result, pg_available_extensions
could expose the expanded system directory path instead of reporting
'$system' as the location.
Record the implicitly-added system directory with the '$system' macro, so
pg_available_extensions reports the documented symbolic location and does
not leak the actual system path.
Update the extension_control_path TAP test to check the reported location
directly.
Author: Chao Li <[email protected]>
Reviewed-by:
Discussion: https://postgr.es/m/
---
src/backend/commands/extension.c | 2 +-
.../modules/test_extensions/t/001_extension_control_path.pl | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c
index a330b5fd6ce..98f9d7018ae 100644
--- a/src/backend/commands/extension.c
+++ b/src/backend/commands/extension.c
@@ -526,7 +526,7 @@ get_extension_control_directories(void)
{
ExtensionLocation *location = palloc_object(ExtensionLocation);
- location->macro = NULL;
+ location->macro = pstrdup("$system");
location->loc = system_dir;
paths = lappend(paths, location);
}
diff --git a/src/test/modules/test_extensions/t/001_extension_control_path.pl b/src/test/modules/test_extensions/t/001_extension_control_path.pl
index c1cec0dc622..4a013a7da4b 100644
--- a/src/test/modules/test_extensions/t/001_extension_control_path.pl
+++ b/src/test/modules/test_extensions/t/001_extension_control_path.pl
@@ -109,10 +109,10 @@ is($ret, "t",
"\$system extension is shown correctly in pg_available_extensions");
$ret = $node->safe_psql('postgres',
- "set extension_control_path = ''; select count(*) > 0 as ok from pg_available_extensions where name = 'plpgsql'"
+ "set extension_control_path = ''; select location from pg_available_extensions where name = 'plpgsql'"
);
-is($ret, "t",
- "\$system extension is shown correctly in pg_available_extensions with empty extension_control_path"
+is($ret, "\$system",
+ "\$system location is shown correctly in pg_available_extensions with empty extension_control_path"
);
# Test with an extension that does not exists
--
2.50.1 (Apple Git-155)
^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: Avoid leaking system path from pg_available_extensions
@ 2026-05-21 08:55 lu feng <[email protected]>
parent: Chao Li <[email protected]>
0 siblings, 0 replies; 7+ messages in thread
From: lu feng @ 2026-05-21 08:55 UTC (permalink / raw)
To: Chao Li <[email protected]>; +Cc: pgsql-hackers; Andrew Dunstan <[email protected]>; Matheus Alcantara <[email protected]>
Chao Li <[email protected]> 于2026年5月20日周三 09:08写道:
>
>
> > On May 20, 2026, at 09:00, Chao Li <[email protected]> wrote:
> >
> > Hi,
> >
> > I just tested “Add paths of extensions to pg_available_extensions”, and
> found an issue.
> >
> > This is a simple repro:
> > ```
> > evantest=# reset extension_control_path;
> > RESET
> > evantest=# select * from pg_available_extensions where name = 'plpgsql';
> > name | default_version | installed_version | location |
> comment
> >
> ---------+-----------------+-------------------+----------+------------------------------
> > plpgsql | 1.0 | 1.0 | $system | PL/pgSQL
> procedural language
> > (1 row)
> >
> > evantest=# set extension_control_path='';
> > SET
> > evantest=# select * from pg_available_extensions where name = 'plpgsql';
> > name | default_version | installed_version | location
> | comment
> >
> ---------+-----------------+-------------------+----------------------------------+------------------------------
> > plpgsql | 1.0 | 1.0 |
> /usr/local/pgsql/share/extension | PL/pgSQL procedural language
> > (1 row)
> > ```
> >
> > When extension_control_path is not set, location shows “$system", which
> is consistent with what the documentation says:
> > ```
> > <para>
> > The default value for this parameter is
> > <literal>'$system'</literal>. If the value is set to an empty
> > string, the default <literal>'$system'</literal> is also assumed.
> > </para>
> > ```
> >
> > However, as shown above, when I set extension_control_path to an empty
> string, the absolute system path is displayed. I consider this an
> information leakage bug.
> >
> > The fix is straightforward; see the attached patch for details. After
> the fix, when extension_control_path is an empty string, location shows
> “$system” now:
> > ```
> > evantest=# set extension_control_path='';
> > SET
> > evantest=# select * from pg_available_extensions where name = 'plpgsql';
> > name | default_version | installed_version | location |
> comment
> >
> ---------+-----------------+-------------------+----------+------------------------------
> > plpgsql | 1.0 | 1.0 | $system | PL/pgSQL
> procedural language
> > (1 row)
> > ```
> >
> > Best regards,
> > --
> > Chao Li (Evan)
> > HighGo Software Co., Ltd.
> > https://www.highgo.com/
> >
> >
> >
> >
>
> Oops, forgot the attachment. Here comes it.
>
> Best regards,
> --
> Chao Li (Evan)
> HighGo Software Co., Ltd.
> https://www.highgo.com/
>
>
>
>
> Thanks for the patch. I just reproduced the problem and verified the fix.
So this patch looks good to me.
Regards,
Lu Feng
^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: Avoid leaking system path from pg_available_extensions
@ 2026-05-21 15:12 Matheus Alcantara <[email protected]>
parent: Chao Li <[email protected]>
1 sibling, 1 reply; 7+ messages in thread
From: Matheus Alcantara @ 2026-05-21 15:12 UTC (permalink / raw)
To: Chao Li <[email protected]>; pgsql-hackers; +Cc: Andrew Dunstan <[email protected]>
On 19/05/26 22:00, Chao Li wrote:
> I just tested “Add paths of extensions to pg_available_extensions”, and found an issue.
>
> This is a simple repro:
> ```
> evantest=# reset extension_control_path;
> RESET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
> name | default_version | installed_version | location | comment
> ---------+-----------------+-------------------+----------+------------------------------
> plpgsql | 1.0 | 1.0 | $system | PL/pgSQL procedural language
> (1 row)
>
> evantest=# set extension_control_path='';
> SET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
> name | default_version | installed_version | location | comment
> ---------+-----------------+-------------------+----------------------------------+------------------------------
> plpgsql | 1.0 | 1.0 | /usr/local/pgsql/share/extension | PL/pgSQL procedural language
> (1 row)
> ```
>
> When extension_control_path is not set, location shows “$system", which is consistent with what the documentation says:
> ```
> <para>
> The default value for this parameter is
> <literal>'$system'</literal>. If the value is set to an empty
> string, the default <literal>'$system'</literal> is also assumed.
> </para>
> ```
>
> However, as shown above, when I set extension_control_path to an empty string, the absolute system path is displayed. I consider this an information leakage bug.
>
> The fix is straightforward; see the attached patch for details. After the fix, when extension_control_path is an empty string, location shows “$system” now:
> ```
> evantest=# set extension_control_path='';
> SET
> evantest=# select * from pg_available_extensions where name = 'plpgsql';
> name | default_version | installed_version | location | comment
> ---------+-----------------+-------------------+----------+------------------------------
> plpgsql | 1.0 | 1.0 | $system | PL/pgSQL procedural language
> (1 row)
> ```
>
Hi, thank you for sharing the bug with the fix.
I've reproduced the issue and the fix looks correct to me.
--
Matheus Alcantara
EDB: https://www.enterprisedb.com
^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: Avoid leaking system path from pg_available_extensions
@ 2026-05-22 07:25 Jim Jones <[email protected]>
parent: Matheus Alcantara <[email protected]>
0 siblings, 1 reply; 7+ messages in thread
From: Jim Jones @ 2026-05-22 07:25 UTC (permalink / raw)
To: Matheus Alcantara <[email protected]>; Chao Li <[email protected]>; pgsql-hackers; +Cc: Andrew Dunstan <[email protected]>
On 21/05/2026 17:12, Matheus Alcantara wrote:
> I've reproduced the issue and the fix looks correct to me.
same here, +1
I was wondering if creating a constant for it would be, stylistically
speaking, a cleaner solution. For instance:
#define EXTENSION_SYSTEM_MACRO "$system"
I realize that it's used only inside get_extension_control_directories()
but since it is even mentioned in the docs, I guess it wouldn't be a bad
idea.
Thanks!
Best, Jim
^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: Avoid leaking system path from pg_available_extensions
@ 2026-05-22 15:40 Matheus Alcantara <[email protected]>
parent: Jim Jones <[email protected]>
0 siblings, 1 reply; 7+ messages in thread
From: Matheus Alcantara @ 2026-05-22 15:40 UTC (permalink / raw)
To: Jim Jones <[email protected]>; Chao Li <[email protected]>; pgsql-hackers; +Cc: Andrew Dunstan <[email protected]>
On 22/05/26 04:25, Jim Jones wrote:
> On 21/05/2026 17:12, Matheus Alcantara wrote:
>> I've reproduced the issue and the fix looks correct to me.
>
> same here, +1
>
Thank you for also testing.
> I was wondering if creating a constant for it would be, stylistically
> speaking, a cleaner solution. For instance:
>
> #define EXTENSION_SYSTEM_MACRO "$system"
>
> I realize that it's used only inside get_extension_control_directories()
> but since it is even mentioned in the docs, I guess it wouldn't be a bad
> idea.
>
I'm not against it but I don't think that it's necessary since as you
mention, only get_extension_control_directories() use.
--
Matheus Alcantara
EDB: https://www.enterprisedb.com
^ permalink raw reply [nested|flat] 7+ messages in thread
* Re: Avoid leaking system path from pg_available_extensions
@ 2026-05-26 07:14 Chao Li <[email protected]>
parent: Matheus Alcantara <[email protected]>
0 siblings, 0 replies; 7+ messages in thread
From: Chao Li @ 2026-05-26 07:14 UTC (permalink / raw)
To: Matheus Alcantara <[email protected]>; +Cc: Jim Jones <[email protected]>; pgsql-hackers; Andrew Dunstan <[email protected]>
> On May 22, 2026, at 23:40, Matheus Alcantara <[email protected]> wrote:
>
> On 22/05/26 04:25, Jim Jones wrote:
>> On 21/05/2026 17:12, Matheus Alcantara wrote:
>>> I've reproduced the issue and the fix looks correct to me.
>> same here, +1
>
> Thank you for also testing.
>
>> I was wondering if creating a constant for it would be, stylistically
>> speaking, a cleaner solution. For instance:
>> #define EXTENSION_SYSTEM_MACRO "$system"
>> I realize that it's used only inside get_extension_control_directories()
>> but since it is even mentioned in the docs, I guess it wouldn't be a bad
>> idea.
>
> I'm not against it but I don't think that it's necessary since as you mention, only get_extension_control_directories() use.
>
> --
> Matheus Alcantara
> EDB: https://www.enterprisedb.com
In theory, I’m not against the idea either. In practice, there are many hard-coded strings in the source tree, and I’m not sure where the right place would be to define this macro.
Since this string is only used in get_extension_control_directories(), and now it is used three times, I defined it at the beginning of the function and undefined it at the end. Let’s see if there are any objections to that.
Please see the attached v2.
Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/
Attachments:
[application/octet-stream] v2-0001-Avoid-leaking-system-path-from-pg_available_exten.patch (3.6K, 2-v2-0001-Avoid-leaking-system-path-from-pg_available_exten.patch)
download | inline diff:
From eaf271a14944df7df87601827f5f5e4909e38c33 Mon Sep 17 00:00:00 2001
From: "Chao Li (Evan)" <[email protected]>
Date: Wed, 20 May 2026 08:49:15 +0800
Subject: [PATCH v2] Avoid leaking system path from pg_available_extensions
The documentation says that when extension_control_path is set to an
empty string, the default '$system' path is still assumed. However,
get_extension_control_directories() added the system extension directory
with a NULL macro in that case. As a result, pg_available_extensions
could expose the expanded system directory path instead of reporting
'$system' as the location.
Record the implicitly-added system directory with the '$system' macro, so
pg_available_extensions reports the documented symbolic location and does
not leak the actual system path.
Update the extension_control_path TAP test to check the reported location
directly.
Author: Chao Li <[email protected]>
Reviewed-by: Lu Feng <[email protected]>
Reviewed-by: Matheus Alcantara <[email protected]>
Reviewed-by: Jim Jones <[email protected]>
Discussion: https://postgr.es/m/[email protected]
---
src/backend/commands/extension.c | 8 +++++---
.../test_extensions/t/001_extension_control_path.pl | 6 +++---
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c
index a330b5fd6ce..d073585c421 100644
--- a/src/backend/commands/extension.c
+++ b/src/backend/commands/extension.c
@@ -513,6 +513,7 @@ is_extension_script_filename(const char *filename)
static List *
get_extension_control_directories(void)
{
+#define EXTENSION_SYSTEM_MACRO "$system"
char sharepath[MAXPGPATH];
char *system_dir;
char *ecp;
@@ -526,7 +527,7 @@ get_extension_control_directories(void)
{
ExtensionLocation *location = palloc_object(ExtensionLocation);
- location->macro = NULL;
+ location->macro = pstrdup(EXTENSION_SYSTEM_MACRO);
location->loc = system_dir;
paths = lappend(paths, location);
}
@@ -556,10 +557,10 @@ get_extension_control_directories(void)
* Substitute the path macro if needed or append "extension"
* suffix if it is a custom extension control path.
*/
- if (strcmp(piece, "$system") == 0)
+ if (strcmp(piece, EXTENSION_SYSTEM_MACRO) == 0)
{
location->macro = pstrdup(piece);
- mangled = substitute_path_macro(piece, "$system", system_dir);
+ mangled = substitute_path_macro(piece, EXTENSION_SYSTEM_MACRO, system_dir);
}
else
{
@@ -582,6 +583,7 @@ get_extension_control_directories(void)
}
return paths;
+#undef EXTENSION_SYSTEM_MACRO
}
/*
diff --git a/src/test/modules/test_extensions/t/001_extension_control_path.pl b/src/test/modules/test_extensions/t/001_extension_control_path.pl
index c1cec0dc622..4a013a7da4b 100644
--- a/src/test/modules/test_extensions/t/001_extension_control_path.pl
+++ b/src/test/modules/test_extensions/t/001_extension_control_path.pl
@@ -109,10 +109,10 @@ is($ret, "t",
"\$system extension is shown correctly in pg_available_extensions");
$ret = $node->safe_psql('postgres',
- "set extension_control_path = ''; select count(*) > 0 as ok from pg_available_extensions where name = 'plpgsql'"
+ "set extension_control_path = ''; select location from pg_available_extensions where name = 'plpgsql'"
);
-is($ret, "t",
- "\$system extension is shown correctly in pg_available_extensions with empty extension_control_path"
+is($ret, "\$system",
+ "\$system location is shown correctly in pg_available_extensions with empty extension_control_path"
);
# Test with an extension that does not exists
--
2.50.1 (Apple Git-155)
^ permalink raw reply [nested|flat] 7+ messages in thread
end of thread, other threads:[~2026-05-26 07:14 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-05-20 01:00 Avoid leaking system path from pg_available_extensions Chao Li <[email protected]>
2026-05-20 01:07 ` Chao Li <[email protected]>
2026-05-21 08:55 ` lu feng <[email protected]>
2026-05-21 15:12 ` Matheus Alcantara <[email protected]>
2026-05-22 07:25 ` Jim Jones <[email protected]>
2026-05-22 15:40 ` Matheus Alcantara <[email protected]>
2026-05-26 07:14 ` Chao Li <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox