diff --git a/app/switch/resources/scripts/resources/functions/copy.lua b/app/switch/resources/scripts/resources/functions/copy.lua
index b7de95effd..daf56c3f51 100644
--- a/app/switch/resources/scripts/resources/functions/copy.lua
+++ b/app/switch/resources/scripts/resources/functions/copy.lua
@@ -1,5 +1,9 @@
 --add the copy function
 	function copy(src,dst)
+		--retrieve allowed characters and then use it to sanitize the dir variable
+		local allowed_chars = os.getenv("ALLOWED_CHARS") or "^%a%d%-%._~/"
+		dir = dir:gsub("[^" .. allowed_chars .. "]", "")
+
 		if (package.config:sub(1,1) == "/") then
 			--unix
 			cmd = [[cp "]] .. src .. [[" "]] .. dst .. [["]];