From 26303c31f0939d093f88f609c846590ad538114f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
Date: Sat, 13 Nov 2021 11:18:54 +0100
Subject: [rubygems/rubygems] Pass "--" to git commands to separate positional
 and optional args

To make sure git uri's specified in Gemfile are never misinterpreted as
optional arguments, potentially allowing for local code execution.

https://github.com/rubygems/rubygems/commit/90b1ed8b9f
---
 lib/bundler/source/git/git_proxy.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/bundler')

diff --git a/lib/bundler/source/git/git_proxy.rb b/lib/bundler/source/git/git_proxy.rb
index e37ff8724a..745a7fe118 100644
--- a/lib/bundler/source/git/git_proxy.rb
+++ b/lib/bundler/source/git/git_proxy.rb
@@ -95,12 +95,12 @@ module Bundler
             SharedHelpers.filesystem_access(path.dirname) do |p|
               FileUtils.mkdir_p(p)
             end
-            git_retry "clone", configured_uri, path.to_s, "--bare", "--no-hardlinks", "--quiet"
+            git_retry "clone", "--bare", "--no-hardlinks", "--quiet", "--", configured_uri, path.to_s
             return unless extra_ref
           end
 
           with_path do
-            git_retry(*["fetch", "--force", "--quiet", "--tags", configured_uri, "refs/heads/*:refs/heads/*", extra_ref].compact, :dir => path)
+            git_retry(*["fetch", "--force", "--quiet", "--tags", "--", configured_uri, "refs/heads/*:refs/heads/*", extra_ref].compact, :dir => path)
           end
         end
 
-- 
cgit v1.2.3