Index: typo3/mod/tools/em/class.em_index.php
===================================================================
--- typo3/mod/tools/em/class.em_index.php	(revision 1626)
+++ typo3/mod/tools/em/class.em_index.php	(working copy)
@@ -1294,7 +1297,7 @@
 	function unzip($file, $path) {
 		if(strlen($GLOBALS['TYPO3_CONF_VARS']['BE']['unzip_path'])) {
 			chdir($path);
-			$cmd = $GLOBALS['TYPO3_CONF_VARS']['BE']['unzip_path'].' -o '.$file;
+			$cmd = $GLOBALS['TYPO3_CONF_VARS']['BE']['unzip_path'].' -o '.escapeshellarg($file);
 			exec($cmd, $list, $ret);
 			return ($ret === 0);
 		} else {