@max
A strong case can be made though that the patch tool garbage erasure must only apply to initial “garbage”, rather than initial and inter-chunk garbage. That’s the aspect that causes the surprise here: VCS diffs only ever place commit metadata (including the message) before the actual patch, but the patch tool allows this metadata (“garbage”) anywhere. At least for git apply that is an obvious bug in and of itself.
Secondly, given this git show should have exported the commit message with one leading space on every line, as that is the escaping mechanism specified by patch for “garbage” data.
Doing both of the above changes would make for a robust mitigation on all levels.
@bmarinov @zekjur @musicmatze