Chao Li <[email protected]> 于2026年5月20日周三 09:08写道:
> > > > On May 20, 2026, at 09:00, Chao Li <[email protected]> wrote: > > > > Hi, > > > > I just tested “Add paths of extensions to pg_available_extensions”, and > found an issue. > > > > This is a simple repro: > > ``` > > evantest=# reset extension_control_path; > > RESET > > evantest=# select * from pg_available_extensions where name = 'plpgsql'; > > name | default_version | installed_version | location | > comment > > > ---------+-----------------+-------------------+----------+------------------------------ > > plpgsql | 1.0 | 1.0 | $system | PL/pgSQL > procedural language > > (1 row) > > > > evantest=# set extension_control_path=''; > > SET > > evantest=# select * from pg_available_extensions where name = 'plpgsql'; > > name | default_version | installed_version | location > | comment > > > ---------+-----------------+-------------------+----------------------------------+------------------------------ > > plpgsql | 1.0 | 1.0 | > /usr/local/pgsql/share/extension | PL/pgSQL procedural language > > (1 row) > > ``` > > > > When extension_control_path is not set, location shows “$system", which > is consistent with what the documentation says: > > ``` > > <para> > > The default value for this parameter is > > <literal>'$system'</literal>. If the value is set to an empty > > string, the default <literal>'$system'</literal> is also assumed. > > </para> > > ``` > > > > However, as shown above, when I set extension_control_path to an empty > string, the absolute system path is displayed. I consider this an > information leakage bug. > > > > The fix is straightforward; see the attached patch for details. After > the fix, when extension_control_path is an empty string, location shows > “$system” now: > > ``` > > evantest=# set extension_control_path=''; > > SET > > evantest=# select * from pg_available_extensions where name = 'plpgsql'; > > name | default_version | installed_version | location | > comment > > > ---------+-----------------+-------------------+----------+------------------------------ > > plpgsql | 1.0 | 1.0 | $system | PL/pgSQL > procedural language > > (1 row) > > ``` > > > > Best regards, > > -- > > Chao Li (Evan) > > HighGo Software Co., Ltd. > > https://www.highgo.com/ > > > > > > > > > > Oops, forgot the attachment. Here comes it. > > Best regards, > -- > Chao Li (Evan) > HighGo Software Co., Ltd. > https://www.highgo.com/ > > > > > Thanks for the patch. I just reproduced the problem and verified the fix. So this patch looks good to me. Regards, Lu Feng
