construct_rooted_path_segments in libsvn_fs_util/mergeinfo-sqlite-index.c on the issue-2897 branch interpolates paths directly into a query string without any sort of escaping. This would be a security hole. The fix would be to return a string like (?, ?, ?, ?) and an array of paths to bind. This must be done if this code is to be used. However, I don't really think this is necessary; I'm planning to reimplement svn_fs_get_commit_and_merge_ranges without using the SQLite index at all, after reintegrate is merged to trunk. But if that doesn't end up happening, and issue-2897 is merged to trunk still using SQLite, this bug must be fixed.