diff --git a/NEWS b/NEWS
index 53715aaf3..de356d9bd 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,10 @@
   * Fix setting of origin in config when non-standard origin is passed into
     ``Repo.clone``. (Kenneth Lareau, #565)
 
+  * Prevent setting SSH arguments from SSH URLs when using SSH through a
+    subprocess. Note that Dulwich doesn't support cloning submodules.
+    (CVE 2017-1000117) (Jelmer Vernooij)
+
  IMPROVEMENTS
 
   * Silently ignored directories in ``Repo.stage``.
diff --git a/dulwich/client.py b/dulwich/client.py
index 4a4158943..185a9a657 100644
--- a/dulwich/client.py
+++ b/dulwich/client.py
@@ -1080,6 +1080,13 @@ def run_command(self, host, command, username=None, port=None):
         raise NotImplementedError(self.run_command)
 
 
+class StrangeHostname(Exception):
+    """Refusing to connect to strange SSH hostname."""
+
+    def __init__(self, hostname):
+        super(StrangeHostname, self).__init__(hostname)
+
+
 class SubprocessSSHVendor(SSHVendor):
     """SSH vendor that shells out to the local 'ssh' command."""
 
@@ -1090,6 +1097,8 @@ def run_command(self, host, command, username=None, port=None):
             args.extend(['-p', str(port)])
         if username is not None:
             host = '%s@%s' % (username, host)
+        if host.startswith('-'):
+            raise StrangeHostname(hostname=host)
         args.append(host)
         proc = subprocess.Popen(args + [command], bufsize=0,
                                 stdin=subprocess.PIPE,
diff --git a/dulwich/tests/test_client.py b/dulwich/tests/test_client.py
index ea4d4d3e2..7cd8f385b 100644
--- a/dulwich/tests/test_client.py
+++ b/dulwich/tests/test_client.py
@@ -50,6 +50,8 @@
     HttpGitClient,
     ReportStatusParser,
     SendPackError,
+    StrangeHostname,
+    SubprocessSSHVendor,
     UpdateRefsError,
     default_urllib2_opener,
     get_transport_and_path,
@@ -942,3 +944,11 @@ def test_config_proxy(self):
         opener = default_urllib2_opener(config=config)
         self.assertIn(urllib2.ProxyHandler,
                       list(map(lambda x: x.__class__, opener.handlers)))
+
+
+class SubprocessSSHVendorTests(TestCase):
+
+    def test_run_command_dashes(self):
+        vendor = SubprocessSSHVendor()
+        self.assertRaises(StrangeHostname, vendor.run_command, '--weird-host',
+                          'git-clone-url')