diff --git a/fly/lib/common.sh b/fly/lib/common.sh
index d0e5a9a3..a30bbb9f 100644
--- a/fly/lib/common.sh
+++ b/fly/lib/common.sh
@@ -553,10 +553,15 @@ upload_file() {
         return 1
     fi
 
-    # base64 output is safe (alphanumeric + /+=) so no injection risk
     local content
     content=$(base64 -w0 < "$local_path" 2>/dev/null || base64 < "$local_path")
 
+    # SECURITY: Validate base64 output contains only safe characters (defense-in-depth)
+    if [[ "${content}" =~ [^A-Za-z0-9+/=] ]]; then
+        log_error "upload_file: base64 output contains unexpected characters"
+        return 1
+    fi
+
     run_server "printf '%s' '${content}' | base64 -d > '${remote_path}'"
 }
 
diff --git a/shared/key-request.sh b/shared/key-request.sh
index 5ddcf840..3e16db9c 100644
--- a/shared/key-request.sh
+++ b/shared/key-request.sh
@@ -92,7 +92,8 @@ print(v)
             fi
             # SECURITY: val is already validated against ^[a-zA-Z0-9._/@-]+$ above,
             # and var_name is validated against ^[A-Z_][A-Z0-9_]*$ by the caller.
-            eval "${var_name}=\${val}"
+            # Use printf -v for safe variable assignment (no command substitution/expansion).
+            printf -v "${var_name}" '%s' "${val}"
             export "${var_name}"
             return 0
         fi