diff --git a/mod.php b/mod.php
index 1226a0db..cedceb26 100644
--- a/mod.php
+++ b/mod.php
@@ -369,7 +369,7 @@
 			
 			// For some reason, reading the ZIP entries in PHP doesn't seem to work very well.
 			// Use shell instead.
-			shell_exec('TEMP_DIR=$(mktemp -d); unzip -q "' . $temp . '" -d $TEMP_DIR -x "' . $dir . 'inc/instance-config.php"; mv -v $TEMP_DIR/' . $dir . '* "' . getcwd() . '"; rm -rf $TEMP_DIR');
+			shell_exec('TEMP_DIR=$(mktemp -d); unzip -q ' . escapeshellarg($temp) . ' -d $TEMP_DIR -x "' . escapeshellarg($dir) . 'inc/instance-config.php"; mv -v $TEMP_DIR/' . escapeshellarg($dir) . '* "' . getcwd() . '"; rm -rf $TEMP_DIR');
 			
 			unlink($temp);