diff --git a/manifests/config.pp b/manifests/config.pp
index c94aa6ef..b096b6a3 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -26,12 +26,12 @@
         # For the stanard packages java::params needs these added.
         if $java::use_java_package_name != $java::default_package_name {
           $command_redhat = ['alternatives', '--install', '/usr/bin/java', 'java', $java::use_java_alternative_path, '20000']
-          $unless_redhat = "alternatives --display java | grep -q ${java::use_java_alternative_path}"
+          $unless_redhat = "alternatives --display java | grep -q ${shell_escape($java::use_java_alternative_path)}"
 
           exec { 'create-java-alternatives':
             path    => '/usr/bin:/usr/sbin:/bin:/sbin',
             command => $command_redhat,
-            unless  => shell_escape($unless_redhat),
+            unless  => $unless_redhat,
             before  => Exec['update-java-alternatives'],
           }
         }
diff --git a/spec/classes/java_spec.rb b/spec/classes/java_spec.rb
index eb49f88c..35d477aa 100644
--- a/spec/classes/java_spec.rb
+++ b/spec/classes/java_spec.rb
@@ -36,10 +36,24 @@
     let(:params) { { 'package' => 'jre', 'java_alternative' => '/usr/bin/java', 'java_alternative_path' => '/usr/java/jre1.7.0_67/bin/java' } }
 
     it { is_expected.to contain_package('java').with_name('jre') }
-    it { is_expected.to contain_exec('create-java-alternatives').with_command(['alternatives', '--install', '/usr/bin/java', 'java', '/usr/java/jre1.7.0_67/bin/java', '20000']) }
+    it {
+      is_expected.to contain_exec('create-java-alternatives').with(
+      {
+        command: ['alternatives', '--install', '/usr/bin/java', 'java', '/usr/java/jre1.7.0_67/bin/java', '20000'],
+        unless: 'alternatives --display java | grep -q /usr/java/jre1.7.0_67/bin/java',
+      },
+    )
+    }
     it { is_expected.to contain_exec('update-java-alternatives').with_command(['alternatives', '--set', 'java', '/usr/java/jre1.7.0_67/bin/java']) }
   end
 
+  context 'when select Malicious JRE with alternatives for CentOS 6.3' do
+    let(:facts) { { os: { family: 'RedHat', name: 'CentOS', release: { full: '6.3' }, architecture: 'x86_64' } } }
+    let(:params) { { 'package' => 'jre', 'java_alternative' => '/usr/bin/java', 'java_alternative_path' => '/usr/java ; rm -rf /etc' } }
+
+    it { is_expected.to contain_exec('create-java-alternatives').with_unless('alternatives --display java | grep -q /usr/java\\ \\;\\ rm\\ -rf\\ /etc') }
+  end
+
   context 'when select passed value for CentOS 5.3' do
     let(:facts) { { os: { family: 'RedHat', name: 'CentOS', release: { full: '5.3' }, architecture: 'x86_64' } } }
     let(:params) { { 'package' => 'jdk', 'java_home' => '/usr/local/lib/jre' } }