This seems to fix it but I have no idea what it breaks. Command
injection should be stopped a few lines above that, and no other
parameter is ever quoted using quotemeta, so I'm not sure what the point
is, but I suppose it is actually necessary because the search text is
then wrapped into a regular expression or something?

--- git.orig/gitweb/gitweb.perl	2007-05-01 11:58:27.000000000 +0200
+++ git/gitweb/gitweb.perl	2007-05-01 12:11:56.000000000 +0200
@@ -368,7 +368,6 @@ if (defined $searchtext) {
 	if (length($searchtext) < 2) {
 		die_error(undef, "At least two characters are required for search parame=
ter");
 	}
-	$searchtext =3D quotemeta $searchtext;
 }
=20
 our $searchtype =3D $cgi->param('st');