--- a/FuzzyOcr/Config.pm
+++ b/FuzzyOcr/Config.pm
@@ -577,7 +577,7 @@ sub parse_config {
         return 1;
     } elsif ($opts->{key} eq 'focr_bin_helper') {
         my @cmd; $conf = $opts->{conf};
-        my $val = $opts->{value}; $val =~ s/[\s]*//g;
+        my $val = Mail::SpamAssassin::Util::untaint_var($opts->{value}); $val =~ s/[\s]*//g;
         debuglog("focr_bin_helper: '$val'");
         foreach my $bin (split(',',$val)) {
             unless (grep {m/$bin/} @bin_utils) {
@@ -618,6 +618,7 @@ sub finish_parsing_end {
             delete $conf->{$b};
         } 
         if (defined $conf->{$b}) {
+            $conf->{$b} = Mail::SpamAssassin::Util::untaint_var($conf->{$b});
             debuglog("Using $a => $conf->{$b}");
         } else {
             foreach my $p (@paths) {
diff --git a/FuzzyOcr/Logging.pm b/FuzzyOcr/Logging.pm
index bed9ff5..ef02b32 100644
--- a/FuzzyOcr/Logging.pm
+++ b/FuzzyOcr/Logging.pm
@@ -31,7 +31,8 @@ sub logfile {
     my $time = strftime("%Y-%m-%d %H:%M:%S",localtime(time));
     $logtext =~ s/\n/\n                      /g;
 
-    unless ( open LOGFILE, ">>", $conf->{focr_logfile} ) {
+    my $fname = Mail::SpamAssassin::Util::untaint_file_path($conf->{focr_logfile});
+    unless ( open LOGFILE, ">>", $fname ) {
        warn "Can't open $conf->{focr_logfile} for writing, check permissions";
        return;
     }