File php-composer2-CVE-2024-35242.patch of Package php-composer2.34329

--- a/src/Composer/Package/Version/VersionGuesser.php
+++ b/src/Composer/Package/Version/VersionGuesser.php
@@ -173,7 +173,7 @@ $featureVersion = $version;
 $featurePrettyVersion = $prettyVersion;
 
 
-$result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'git rev-list %candidate%..%branch%', $path);
+$result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['git', 'rev-list', '%candidate%..%branch%'], $path);
 $version = $result['version'];
 $prettyVersion = $result['pretty_version'];
 }
@@ -248,7 +248,7 @@ $driver = new HgDriver(['url' => $path],
 $branches = array_map('strval', array_keys($driver->getBranches()));
 
 
-$result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'hg log -r "not ancestors(\'%candidate%\') and ancestors(\'%branch%\')" --template "{node}\\n"', $path);
+$result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['hg', 'log', '-r', 'not ancestors(\'%candidate%\') and ancestors(\'%branch%\')', '--template', '"{node}\\n"'], $path);
 $result['commit'] = '';
 $result['feature_version'] = $version;
 $result['feature_pretty_version'] = $version;
@@ -267,7 +267,7 @@ return null;
 
 
 
-private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, string $scmCmdline, string $path): array
+private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, array $scmCmdline, string $path): array
 {
 $prettyVersion = $version;
 
@@ -309,7 +309,9 @@ if ($candidate === $branch || $this->isF
 continue;
 }
 
-$cmdLine = str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $scmCmdline);
+$cmdLine = array_map(static function (string $component) use ($candidate, $branch) {
+return str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $component);
+}, $scmCmdline);
 $promises[] = $this->process->executeAsync($cmdLine, $path)->then(function (Process $process) use (&$length, &$version, &$prettyVersion, $candidateVersion, &$promises): void {
 if (!$process->isSuccessful()) {
 return;