diff --git a/src/common/helpers.py b/src/common/helpers.py
index 722fbebe24860e20ebe745a960a901f7b3270851..97996f01ba991c813c194fd28072ccb50e416c2b 100644
--- a/src/common/helpers.py
+++ b/src/common/helpers.py
@@ -40,6 +40,7 @@ import errno
 import select
 import base64
 import hashlib
+import shlex
 import caps_cache
 
 from encodings.punycode import punycode_encode
@@ -381,8 +382,18 @@ def is_in_path(command, return_abs_path=False):
             pass
     return False
 
-def exec_command(command):
-    subprocess.Popen('%s &' % command, shell=True).wait()
+def exec_command(command, use_shell=False):
+    """
+    execute a command. if use_shell is True, we run the command as is it was
+    typed in a console. So it may be dangerous if you are not sure about what
+    is executed.
+    """
+    if use_shell:
+        subprocess.Popen('%s &' % command, shell=True).wait()
+    else:
+        args = shlex.split(command.encode('utf-8'))
+        p = subprocess.Popen(args)
+        gajim.thread_interface(p.wait)
 
 def build_command(executable, parameter):
     # we add to the parameter (can hold path with spaces)
diff --git a/src/notify.py b/src/notify.py
index a8a7378634b964a8e42214225fe7c565c337d010..1f6eada51cc1cd3cd32405394e76ca89f5754e17 100644
--- a/src/notify.py
+++ b/src/notify.py
@@ -167,7 +167,7 @@ class Notification:
 
         if obj.do_command:
             try:
-                helpers.exec_command(obj.command)
+                helpers.exec_command(obj.command, use_shell=True)
             except Exception:
                 pass