construct_rooted_path_segments in libsvn_fs_util/mergeinfo-sqlite-index.c on the
issue-2897 branch interpolates paths directly into a query string without any
sort of escaping. This would be a security hole.
The fix would be to return a string like (?, ?, ?, ?) and an array of paths to
bind. This must be done if this code is to be used.
However, I don't really think this is necessary; I'm planning to reimplement
svn_fs_get_commit_and_merge_ranges without using the SQLite index at all, after
reintegrate is merged to trunk. But if that doesn't end up happening, and
issue-2897 is merged to trunk still using SQLite, this bug must be fixed.
Bug
Major