diff -rupN leptonica-1.74.4/src/allheaders.h leptonica-1.74.4-new/src/allheaders.h
--- leptonica-1.74.4/src/allheaders.h	2017-06-11 22:04:50.000000000 +0200
+++ leptonica-1.74.4-new/src/allheaders.h	2018-02-22 13:19:04.587885801 +0100
@@ -2635,6 +2635,7 @@ LEPT_DLL extern l_int32 stringJoinIP ( c
 LEPT_DLL extern char * stringReverse ( const char *src );
 LEPT_DLL extern char * strtokSafe ( char *cstr, const char *seps, char **psaveptr );
 LEPT_DLL extern l_int32 stringSplitOnToken ( char *cstr, const char *seps, char **phead, char **ptail );
+LEPT_DLL extern l_int32 stringCheckForChars ( const char *src, const char *chars, l_int32 *pfound );
 LEPT_DLL extern char * stringRemoveChars ( const char *src, const char *remchars );
 LEPT_DLL extern l_int32 stringFindSubstr ( const char *src, const char *sub, l_int32 *ploc );
 LEPT_DLL extern char * stringReplaceSubstr ( const char *src, const char *sub1, const char *sub2, l_int32 *pfound, l_int32 *ploc );
diff -rupN leptonica-1.74.4/src/gplot.c leptonica-1.74.4-new/src/gplot.c
--- leptonica-1.74.4/src/gplot.c	2017-06-11 22:04:50.000000000 +0200
+++ leptonica-1.74.4-new/src/gplot.c	2018-02-22 13:19:04.587885801 +0100
@@ -146,9 +146,10 @@ gplotCreate(const char  *rootname,
             const char  *xlabel,
             const char  *ylabel)
 {
-char   *newroot;
-char    buf[L_BUF_SIZE];
-GPLOT  *gplot;
+char    *newroot;
+char     buf[L_BUF_SIZE];
+l_int32  badchar;
+GPLOT   *gplot;
 
     PROCNAME("gplotCreate");
 
@@ -157,6 +158,9 @@ GPLOT  *gplot;
     if (outformat != GPLOT_PNG && outformat != GPLOT_PS &&
         outformat != GPLOT_EPS && outformat != GPLOT_LATEX)
         return (GPLOT *)ERROR_PTR("outformat invalid", procName, NULL);
+    stringCheckForChars(rootname, "`;&|><\"?*", &badchar);
+    if (badchar)  /* danger of command injection */
+        return (GPLOT *)ERROR_PTR("invalid rootname", procName, NULL);
 
     if ((gplot = (GPLOT *)LEPT_CALLOC(1, sizeof(GPLOT))) == NULL)
         return (GPLOT *)ERROR_PTR("gplot not made", procName, NULL);
diff -rupN leptonica-1.74.4/src/utils2.c leptonica-1.74.4-new/src/utils2.c
--- leptonica-1.74.4/src/utils2.c	2017-06-11 22:04:50.000000000 +0200
+++ leptonica-1.74.4-new/src/utils2.c	2018-02-22 13:19:04.587885801 +0100
@@ -42,6 +42,7 @@
  *           l_int32    stringSplitOnToken()
  *
  *       Find and replace string and array procs
+ *           l_int32    stringCheckForChars()
  *           char      *stringRemoveChars()
  *           l_int32    stringFindSubstr()
  *           char      *stringReplaceSubstr()
@@ -699,6 +700,48 @@ char  *saveptr;
  *                       Find and replace procs                       *
  *--------------------------------------------------------------------*/
 /*!
+ * \brief   stringCheckForChars()
+ *
+ * \param[in]    src      input string; can be of zero length
+ * \param[in]    chars    string of chars to be searched for in %src
+ * \param[out]   pfound   1 if any characters are found; 0 otherwise
+ * \return  0 if OK, 1 on error
+ *
+ * <pre>
+ * Notes:
+ *      (1) This can be used to sanitize an operation by checking for
+ *          special characters that don't belong in a string.
+ * </pre>
+ */
+l_int32
+stringCheckForChars(const char  *src,
+                    const char  *chars,
+                    l_int32     *pfound)
+{
+char     ch;
+l_int32  i, n;
+
+    PROCNAME("stringCheckForChars");
+
+    if (!pfound)
+        return ERROR_INT("&found not defined", procName, 1);
+    *pfound = FALSE;
+    if (!src || !chars)
+        return ERROR_INT("src and chars not both defined", procName, 1);
+
+    n = strlen(src);
+    for (i = 0; i < n; i++) {
+        ch = src[i];
+        if (strchr(chars, ch)) {
+            *pfound = TRUE;
+            break;
+        }
+    }
+    return 0;
+}
+
+
+/*!
  * \brief   stringRemoveChars()
  *
  * \param[in]    src input string; can be of zero length