diff --git a/modules/luci-base/luasrc/util.lua b/modules/luci-base/luasrc/util.lua
index 28c126621d..06a889cfc8 100644
--- a/modules/luci-base/luasrc/util.lua
+++ b/modules/luci-base/luasrc/util.lua
@@ -164,6 +164,10 @@ function striptags(value)
 	return value and tparser.striptags(tostring(value))
 end
 
+function shellquote(value)
+	return string.format("'%s'", string.gsub(value or "", "'", "'\\''"))
+end
+
 -- for bash, ash and similar shells single-quoted strings are taken
 -- literally except for single quotes (which terminate the string)
 -- (and the exception noted below for dash (-) at the start of a
@@ -656,7 +660,7 @@ function checklib(fullpathexe, wantedlib)
 	if not haveldd or not haveexe then
 		return false
 	end
-	local libs = exec("/usr/bin/ldd " .. fullpathexe)
+	local libs = exec(string.format("/usr/bin/ldd %s", shellquote(fullpathexe)))
 	if not libs then
 		return false
 	end
diff --git a/modules/luci-base/luasrc/util.luadoc b/modules/luci-base/luasrc/util.luadoc
index 949aeb21c0..79a17a2280 100644
--- a/modules/luci-base/luasrc/util.luadoc
+++ b/modules/luci-base/luasrc/util.luadoc
@@ -82,6 +82,15 @@ Strip HTML tags from given string.
 @return	String with HTML tags stripped of
 ]]
 
+---[[
+Safely quote value for use in shell commands.
+
+@class function
+@name shellquote
+@param value  String containing the value to quote
+@return Single-quote enclosed string with embedded quotes escaped
+]]
+
 ---[[
 Splits given string on a defined separator sequence and return a table