From: Thomas Chauchefoin <thomas.chauchefoin@sonarsource.com>
Date: Thu, 10 Feb 2022 08:50:44 +0100
Subject: Insert the end-of-options marker before operation arguments.

This marker stops the parsing of additional options during external
calls to GPG. This behavior is unintended but its security impact is
dependent on the environment and the GPG version in use.
---
 Crypt_GPG-1.6.4/Crypt/GPG.php         | 8 ++++----
 Crypt_GPG-1.6.4/Crypt/GPGAbstract.php | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Crypt_GPG-1.6.4/Crypt/GPG.php b/Crypt_GPG-1.6.4/Crypt/GPG.php
index 87d2c8e..4c70833 100644
--- a/Crypt_GPG-1.6.4/Crypt/GPG.php
+++ b/Crypt_GPG-1.6.4/Crypt/GPG.php
@@ -457,7 +457,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
             );
         }
 
-        $operation = '--delete-key ' . escapeshellarg($fingerprint);
+        $operation = '--delete-key -- ' . escapeshellarg($fingerprint);
         $arguments = array(
             '--batch',
             '--yes'
@@ -507,7 +507,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
             );
         }
 
-        $operation = '--delete-secret-key ' . escapeshellarg($fingerprint);
+        $operation = '--delete-secret-key -- ' . escapeshellarg($fingerprint);
         $arguments = array(
             '--batch',
             '--yes'
@@ -585,7 +585,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
     public function getFingerprint($keyId, $format = self::FORMAT_NONE)
     {
         $output    = '';
-        $operation = '--list-keys ' . escapeshellarg($keyId);
+        $operation = '--list-keys -- ' . escapeshellarg($keyId);
         $arguments = array(
             '--with-colons',
             '--with-fingerprint'
@@ -1584,7 +1584,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
 
         $keyData   = '';
         $operation = $private ? '--export-secret-keys' : '--export';
-        $operation .= ' ' . escapeshellarg($fingerprint);
+        $operation .= ' -- ' . escapeshellarg($fingerprint);
         $arguments = $armor ? array('--armor') : array();
 
         $this->engine->reset();
diff --git a/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php b/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php
index 3dafe12..2c6b4b6 100644
--- a/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php
+++ b/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php
@@ -360,7 +360,7 @@ abstract class Crypt_GPGAbstract
         if ($keyId == '') {
             $operation = '--list-secret-keys';
         } else {
-            $operation = '--utf8-strings --list-secret-keys ' . escapeshellarg($keyId);
+            $operation = '--utf8-strings --list-secret-keys -- ' . escapeshellarg($keyId);
         }
 
         // According to The file 'doc/DETAILS' in the GnuPG distribution, using
@@ -392,7 +392,7 @@ abstract class Crypt_GPGAbstract
         if ($keyId == '') {
             $operation = '--list-public-keys';
         } else {
-            $operation = '--utf8-strings --list-public-keys ' . escapeshellarg($keyId);
+            $operation = '--utf8-strings --list-public-keys -- ' . escapeshellarg($keyId);
         }
 
         $output = '';