diff --git a/langset.sh b/langset.sh
index 2e3f8fb..32accaa 100644
--- a/langset.sh
+++ b/langset.sh
@@ -9,18 +9,23 @@ if [ $# != 0 ]; then
 	keytable=$2
 else
 	lang=en_US
+	keytable=
 	for o in $(cat /proc/cmdline); do
 		case $o in
 		lang=*)
-			eval $o
+			lang="${o#*=}"
 			;;
 		keytable=*)
-			eval $o
+			keytable="${o#*=}"
 			;;
 		esac
 	done
 fi
 
+# Avoid directory traversal through /
+lang="${lang//\/}"
+keytable="${keytable//\/}"
+
 # Strip potential .UTF-8 suffix
 lang="${lang%%.*}"
 
@@ -83,6 +88,6 @@ fi
 [ -n "$TIMEZONE" ] && [ -f "/usr/share/zoneinfo/$TIMEZONE" ] && rm -f /etc/localtime && ln -s /usr/share/zoneinfo/$TIMEZONE /etc/localtime
 
 # Override with the cmdline provided one, if possible
-[ -z "$keytable" ] || localectl set-keymap $keytable
+[ -z "$keytable" ] || localectl set-keymap -- "$keytable"
 
 echo "$lang" > /var/lib/zypp/RequestedLocales
diff --git a/live-langset-data.changes b/live-langset-data.changes
index daf99ba..8a7e1e3 100644
--- a/live-langset-data.changes
+++ b/live-langset-data.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Sep 26 13:54:57 UTC 2022 - Fabian Vogt <fvogt@suse.com>
+
+- Parse lang=/keytable= options more explicitly (boo#1202925)
+
 -------------------------------------------------------------------
 Mon Jun 28 10:16:55 UTC 2021 - Fabian Vogt <fvogt@suse.com>
 
diff --git a/live-langset-data.spec b/live-langset-data.spec
index 3e2c8cc..5749c20 100644
--- a/live-langset-data.spec
+++ b/live-langset-data.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package live-langset-data
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed