diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3dad158528..19511c0002 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
1. [](#bugfix)
* Regression: Fixed saving page with a new language causing cache corruption [getgrav/grav-plugin-admin#2282](https://github.com/getgrav/grav-plugin-admin/issues/2282)
* Fixed a potential fatal error when using watermark in images
+ * Fixed `bin/grav install` command with arbitrary destination folder name
# v1.7.33
## 04/25/2022
diff --git a/system/src/Grav/Console/Cli/InstallCommand.php b/system/src/Grav/Console/Cli/InstallCommand.php
index 33198cb5f8..ae38253303 100644
--- a/system/src/Grav/Console/Cli/InstallCommand.php
+++ b/system/src/Grav/Console/Cli/InstallCommand.php
@@ -147,7 +147,7 @@ private function gitclone(): int
foreach ($this->config['git'] as $repo => $data) {
$path = $this->destination . DS . $data['path'];
if (!file_exists($path)) {
- exec('cd "' . $this->destination . '" && git clone -b ' . $data['branch'] . ' --depth 1 ' . $data['url'] . ' ' . $data['path'], $output, $return);
+ exec('cd ' . escapeshellarg($this->destination) . ' && git clone -b ' . $data['branch'] . ' --depth 1 ' . $data['url'] . ' ' . $data['path'], $output, $return);
if (!$return) {
$io->writeln('SUCCESS cloned ' . $data['url'] . ' -> ' . $path . '');
diff --git a/system/src/Grav/Console/ConsoleTrait.php b/system/src/Grav/Console/ConsoleTrait.php
index 0af4075abe..d35fc7cfe6 100644
--- a/system/src/Grav/Console/ConsoleTrait.php
+++ b/system/src/Grav/Console/ConsoleTrait.php
@@ -288,7 +288,7 @@ public function composerUpdate($path, $action = 'install')
{
$composer = Composer::getComposerExecutor();
- return system($composer . ' --working-dir="'.$path.'" --no-interaction --no-dev --prefer-dist -o '. $action);
+ return system($composer . ' --working-dir=' . escapeshellarg($path) . ' --no-interaction --no-dev --prefer-dist -o '. $action);
}
/**
diff --git a/system/src/Grav/Console/Gpm/InstallCommand.php b/system/src/Grav/Console/Gpm/InstallCommand.php
index a2aca0a45d..5ad47f8d4f 100644
--- a/system/src/Grav/Console/Gpm/InstallCommand.php
+++ b/system/src/Grav/Console/Gpm/InstallCommand.php
@@ -485,7 +485,7 @@ private function processSymlink(Package $package): void
{
$io = $this->getIO();
- exec('cd ' . $this->destination);
+ exec('cd ' . escapeshellarg($this->destination));
$to = $this->destination . DS . $package->install_path;
$from = $this->getSymlinkSource($package);