diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 5a33d384fd..a6c839a3c4 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -4360,7 +4360,7 @@
 	'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page',
 	'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url',
 	'cdn_enabled', 'public_config_names', 'email_login_enabled', 'email_ensure_unique',
-	'impersonate_user_threshold', 'email_retry_in_days'
+	'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool'
 );
 
 /**
diff --git a/core/graphviz_api.php b/core/graphviz_api.php
index 76aff5f4ae..9f6082a017 100644
--- a/core/graphviz_api.php
+++ b/core/graphviz_api.php
@@ -350,7 +350,7 @@ function output( $p_format = 'dot', $p_headers = false ) {
 
 		# Start dot process
 
-		$t_command = $this->graphviz_tool . ' -T' . $p_format;
+		$t_command = escapeshellcmd( $this->graphviz_tool . ' -T' . $p_format );
 		$t_descriptors = array(
 			0 => array( 'pipe', 'r', ),
 			1 => array( 'pipe', 'w', ),