[Gitea 1.17.3](https://pouet.chapril.org/@gna/109176306611564720) includes a [security patch](https://lab.forgefriends.org/forgefriends/forgefriends/-/commit/d98c5db58fdeded983bf5c0fe781fd7b77a1235f) that prevents the injection of arguments to the git command run by Gitea.
When displaying the commit graph [for the master branch](https://gitea.gna.org/Gna/organization/graph?branch=refs%2Fheads%2Fmaster), the URL contains the argument **refs%2Fheads%2Fmaster** that is passed to the `git` command with something like:
If, by accident or maliciously, the branch name starts with a dash, it would be mistaken to be a `git` argument instead of a branch name. For instance **-h** could be passed to the `git` command as: