Thread

  1. Re: Avoid leaking system path from pg_available_extensions

    Chao Li <li.evan.chao@gmail.com> — 2026-05-20T01:07:49Z

    
    > On May 20, 2026, at 09:00, Chao Li <li.evan.chao@gmail.com> wrote:
    > 
    > Hi,
    > 
    > I just tested “Add paths of extensions to pg_available_extensions”, and found an issue.
    > 
    > This is a simple repro:
    > ```
    > evantest=# reset extension_control_path;
    > RESET
    > evantest=# select * from pg_available_extensions where name = 'plpgsql';
    >  name   | default_version | installed_version | location |           comment
    > ---------+-----------------+-------------------+----------+------------------------------
    > plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL procedural language
    > (1 row)
    > 
    > evantest=# set extension_control_path='';
    > SET
    > evantest=# select * from pg_available_extensions where name = 'plpgsql';
    >  name   | default_version | installed_version |             location             |           comment
    > ---------+-----------------+-------------------+----------------------------------+------------------------------
    > plpgsql | 1.0             | 1.0               | /usr/local/pgsql/share/extension | PL/pgSQL procedural language
    > (1 row)
    > ```
    > 
    > When extension_control_path is not set, location shows “$system", which is consistent with what the documentation says:
    > ```
    >       <para>
    >        The default value for this parameter is
    >        <literal>'$system'</literal>. If the value is set to an empty
    >        string, the default <literal>'$system'</literal> is also assumed.
    >       </para>
    > ```
    > 
    > However, as shown above, when I set extension_control_path to an empty string, the absolute system path is displayed. I consider this an information leakage bug.
    > 
    > The fix is straightforward; see the attached patch for details. After the fix, when extension_control_path is an empty string, location shows “$system” now:
    > ```
    > evantest=# set extension_control_path='';
    > SET
    > evantest=# select * from pg_available_extensions where name = 'plpgsql';
    >  name   | default_version | installed_version | location |           comment
    > ---------+-----------------+-------------------+----------+------------------------------
    > plpgsql | 1.0             | 1.0               | $system  | PL/pgSQL procedural language
    > (1 row)
    > ```
    > 
    > Best regards,
    > --
    > Chao Li (Evan)
    > HighGo Software Co., Ltd.
    > https://www.highgo.com/
    > 
    > 
    > 
    > 
    
    Oops, forgot the attachment. Here comes it.
    
    Best regards,
    --
    Chao Li (Evan)
    HighGo Software Co., Ltd.
    https://www.highgo.com/