Is there a high level write up about this somewhere? I can't figure out off the top of my head how a hostname that starts with a hyphen and gets mistaken for an ssh option causes arbitrary local command execution. Wouldn't the first word of the remote git command slide over and become the hostname?
Could this not have been fixed by prefixing the '--' argument on the command line, and requiring that all ssh implementations must implement that in order to be compatible?<p>Seriously, why are we still dealing with what amounts to a quoting issue in 2017?