fix: block unsafe long-option prefixes (GHSA-2f96-g7mh-g2hx)

codex · Byron · commit c705fe7e108c · 2026-06-17T12:30:57.000+08:00
diff --git a/git/cmd.py b/git/cmd.py
@@ -967,8 +967,8 @@ def check_unsafe_options(cls, options: List[str], unsafe_options: List[str]) ->
         arbitrary commands. These are blocked by default.
         """
         # Options can be of the form `foo`, `--foo`, `--foo bar`, or `--foo=bar`.
-        # We also treat unambiguous long-option prefixes as unsafe, matching
-        # Git's own option parser behavior for long options.
+        # We also treat long-option prefix forms as unsafe, matching Git's option
+        # parser behavior for long options.
         canonical_unsafe_options = [
             (cls._canonicalize_option_name(option), option) for option in unsafe_options
         ]
