In libutil/dbop.c, dbop_get calls dbop3_get when using the sqlite3 backend. dbop3_get prepares a sqlite3 query is prepared as follows:
strbuf_sprintf(sql, "select dat, extra from %s where key = '%s' limit 1", dbop->tblname, name); If the `name` character contains a single-quote character, a SQL injection can occur. dbop_get can be called with unsanitized values, e.g. raw path strings when inserting paths into GPATH. As a result, running gtags in sqlite3 mode on a source tree containing a path with a single-quote may fail or execute unintended sql queries. A fix may involve using a prepared statement, or properly sql-escaping the `name` parameter. Note: this bug was found by Theori's Xint Code analysis. Thanks, Tim Becker Theori
