From bab3f077a05d7da95017fdd1a7ddb9649b912da7 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Thu, 20 Nov 2008 15:36:22 +0000
Subject: [PATCH] Don't pass strings directly to errdetail() and errhint() -
 use %s to unescape them. Fixes a potential security issue (in as yet
 unreleased code)

---
 src/pl/plpgsql/src/pl_exec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pl/plpgsql/src/pl_exec.c b/src/pl/plpgsql/src/pl_exec.c
index 7d8eb9b346..03c77eae81 100644
--- a/src/pl/plpgsql/src/pl_exec.c
+++ b/src/pl/plpgsql/src/pl_exec.c
@@ -2538,8 +2538,8 @@ exec_stmt_raise(PLpgSQL_execstate *estate, PLpgSQL_stmt_raise *stmt)
 	ereport(stmt->elog_level,
 			(err_code ? errcode(err_code) : 0,
 			 errmsg_internal("%s", err_message),
-			 (err_detail != NULL) ? errdetail(err_detail) : 0,
-			 (err_hint != NULL) ? errhint(err_hint) : 0));
+			 (err_detail != NULL) ? errdetail("%s", err_detail) : 0,
+			 (err_hint != NULL) ? errhint("%s", err_hint) : 0));
 
 	estate->err_text = NULL;	/* un-suppress... */
 
-- 
2.39.5