--- /dev/null
+Description: Escape theme name before passing it to system(3)
+Bug-Debian: https://bugs.debian.org/739709
+Author: Marius Gavrilescu <marius@ieval.ro>
+Forwarded: no
+Last-Update: 2014-02-23
+
+--- a/main.c
++++ b/main.c
+@@ -808,27 +808,51 @@
+ }
+ }
+
++static gchar *shell_escape (gchar *arg)
++{
++ gchar *out;
++ gint n;
++
++ out = g_new(gchar, strlen(arg) * 2 + 1);
++ n = 0;
++ for(;*arg;arg++)
++ {
++ if(*arg == '\'')
++ {
++ out[n++] = '\'';
++ out[n++] = '\\';
++ out[n++] = '\'';
++ }
++ out[n++] = *arg;
++ }
++ out[n] = 0;
++
++ return out;
++ }
++
+ static short install_tarball (gchar *path, gchar **rc_file)
+ {
+- gchar *command, *themedir;
++ gchar *command, *themedir, *escaped_path;
+ gint result;
+ GList *new_list, *new_theme;
+
+ themedir = g_strdup_printf ("%s/.themes", homedir);
++ escaped_path = shell_escape (path);
+
+ if (path[0] != '/')
+ {
+ gchar *cwd = g_get_current_dir();
+- command = g_strdup_printf ("tar --directory %s -xzf %s/%s 2>/dev/null", themedir, cwd, path);
++ command = g_strdup_printf ("tar --directory %s -xzf %s/'%s' 2>/dev/null", themedir, cwd, escaped_path);
+ g_free (cwd);
+ }
+ else
+- command = g_strdup_printf ("tar --directory %s -xzf %s 2>/dev/null", themedir, path);
++ command = g_strdup_printf ("tar --directory %s -xzf '%s' 2>/dev/null", themedir, escaped_path);
+
+ /* Ensure that ~/.themes exists */
+ mkdir (themedir, S_IRUSR | S_IWUSR | S_IXUSR);
+
+ result = system(command);
++ g_free (escaped_path);
+ g_free (command);
+ g_free (themedir);
+ if (result != EXIT_SUCCESS)