diff --git a/bureau/class/m_bro.php b/bureau/class/m_bro.php
index 13aa3fd4..cd276b55 100644
--- a/bureau/class/m_bro.php
+++ b/bureau/class/m_bro.php
@@ -428,6 +428,8 @@ class m_bro {
       $err->raise("bro",1);
       return false;
     }
+    $file = escapeshellarg($file);
+    $dest = escapeshellarg($dest);
     if ($i == 0) {
 #TODO new version of tar supports `tar xf ...` so there is no
 #     need to specify the compression format
@@ -534,8 +536,10 @@ class m_bro {
     */
 
     // Last step // Copy -R
-    $src = escapeshellarg($this->convertabsolute($src));
-    $dest = escapeshellarg($this->convertabsolute($dest));
+    $src = $this->convertabsolute($src);
+    $dest = $this->convertabsolute($dest);
+    $src = escapeshellarg($src);
+    $dest = escapeshellarg($dest);
     if (!$src || !$dest) {
       $err->raise("bro",1);
       return false;