From 2568f2b77ec2bc9a5edc979a1a55d67b1fdc75cc Mon Sep 17 00:00:00 2001
From: Codex GPT-5 <codex@openai.com>
Date: Wed, 17 Jun 2026 12:26:10 +0800
Subject: [PATCH] fix: block joined short unsafe options (GHSA-v396-v7q4-x2qj)

---
 git/cmd.py         | 5 ++++-
 test/test_clone.py | 4 ++++
 test/test_git.py   | 2 ++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/git/cmd.py b/git/cmd.py
index 92ca09c2a..71445dc6c 100644
--- a/git/cmd.py
+++ b/git/cmd.py
@@ -957,7 +957,10 @@ def _canonicalize_option_name(cls, option: str) -> str:
         option_tokens = option_name.split(None, 1)
         if not option_tokens:
             return ""
-        return dashify(option_tokens[0])
+        option_token = option_tokens[0]
+        if option.startswith("-") and not option.startswith("--") and len(option_token) > 1:
+            option_token = option_token[:1]
+        return dashify(option_token)
 
     @classmethod
     def check_unsafe_options(cls, options: List[str], unsafe_options: List[str]) -> None:
diff --git a/test/test_clone.py b/test/test_clone.py
index 653d50aa3..c8db1cf0e 100644
--- a/test/test_clone.py
+++ b/test/test_clone.py
@@ -118,8 +118,10 @@ def test_clone_unsafe_options(self, rw_repo):
             unsafe_options = [
                 f"--upload-pack='touch {tmp_file}'",
                 f"-u 'touch {tmp_file}'",
+                f"-u{tmp_file}",
                 "--config=protocol.ext.allow=always",
                 "-c protocol.ext.allow=always",
+                "-cprotocol.ext.allow=always",
             ]
             for unsafe_option in unsafe_options:
                 with self.assertRaises(UnsafeOptionError):
@@ -207,8 +209,10 @@ def test_clone_from_unsafe_options(self, rw_repo):
             unsafe_options = [
                 f"--upload-pack='touch {tmp_file}'",
                 f"-u 'touch {tmp_file}'",
+                f"-u{tmp_file}",
                 "--config=protocol.ext.allow=always",
                 "-c protocol.ext.allow=always",
+                "-cprotocol.ext.allow=always",
             ]
             for unsafe_option in unsafe_options:
                 with self.assertRaises(UnsafeOptionError):
diff --git a/test/test_git.py b/test/test_git.py
index 24b60af9d..c3cb5b8f8 100644
--- a/test/test_git.py
+++ b/test/test_git.py
@@ -162,6 +162,8 @@ def test_check_unsafe_options_normalizes_kwargs(self):
             (["exec"], ["--exec"]),
             (["u"], ["-u"]),
             (["c"], ["-c"]),
+            (["-u/tmp/helper"], ["-u"]),
+            (["-cprotocol.ext.allow=always"], ["-c"]),
             (["--upload-pack=/tmp/helper"], ["--upload-pack"]),
             (["--config core.filemode=false"], ["--config"]),
         ]