diff --git a/README.md b/README.md
index 390cd85110657cdf739e59eca51221dc7f2c0d07..2a11f69baaa0c7004aa35a84bff7146cd05cedb4 100644
--- a/README.md
+++ b/README.md
@@ -7,13 +7,13 @@ CaosDB project.
 
 # Getting started #
 
-To run tests, start up a CaosDB server (documentation for this can be found
-elsewhere). Then modify `pycaosdb.ini.template` accordingly and save it as
-`pycaosdb.ini`.  Then you can run the tests with `pytest` or `pytest-3`
-(depending on your system).
-
-If you want to run just a single test, you can also select a single test file:
-`pytest-3 tests/test_issues.py`
+- To run tests, start up a CaosDB server with (documentation for this can be found elsewhere).
+  - The CaosDB server must have debugging enabled.
+  - Certificates must be valid and be listed in `pycaosdb.ini`.
+- Modify `pycaosdb.ini.template` accordingly and save it as `pycaosdb.ini`.
+- Run the tests with `pytest` or `pytest-3` (depending on your system).
+- If you want to run just a single test, you can also select a single test file:  
+  `pytest-3 tests/test_issues.py`
 
 # Further Reading
 
diff --git a/tests/test_issues_server.py b/tests/test_issues_server.py
index 7b7ebc6a40675d06cab83ba56f59069b25e85330..9022e7dcbe5456128a7994e187ab9d675cff5cbb 100644
--- a/tests/test_issues_server.py
+++ b/tests/test_issues_server.py
@@ -147,7 +147,8 @@ def test_issue_99():
     """Checksum updating failed with versioning enabled.
     """
 
-    # Using files in extroot, because this allows us to update the file content from the outside.
+    # Using files in extroot, because this allows us to update the file
+    # content from the outside.
     local_dir = os.path.join(db.get_config().get("IntegrationTests",
                                                  "test_files.test_insert_files_in_dir.local"),
                              "test_issue_99")
diff --git a/tests/test_server_side_scripting.py b/tests/test_server_side_scripting.py
index 45bb6f7bf1e4075080454ad292fd74da7f601cf7..7ecc50121a2e2fc2eaaf3d31659d5ff0bc2bc604 100644
--- a/tests/test_server_side_scripting.py
+++ b/tests/test_server_side_scripting.py
@@ -63,7 +63,7 @@ def setup():
 
 
 def teardown():
-    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIR",
+    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIRS",
                               _ORIGINAL_SERVER_SCRIPTING_BIN_DIR)
     clean_database()
 
@@ -71,7 +71,7 @@ def teardown():
 def setup_module():
     global _ORIGINAL_SERVER_SCRIPTING_BIN_DIR
     _ORIGINAL_SERVER_SCRIPTING_BIN_DIR = admin.get_server_property(
-        "SERVER_SIDE_SCRIPTING_BIN_DIR")
+        "SERVER_SIDE_SCRIPTING_BIN_DIRS")
     clean_database()
 
     from os import makedirs
@@ -113,7 +113,7 @@ def test_call_script_non_existing():
 
 
 def test_call_script_not_executable():
-    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIR",
+    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIRS",
                               _SERVER_SIDE_SCRIPTING_BIN_DIR_SERVER)
     form = dict()
     form["call"] = "not_executable"
@@ -123,7 +123,7 @@ def test_call_script_not_executable():
 
 
 def test_call_ok():
-    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIR",
+    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIRS",
                               _SERVER_SIDE_SCRIPTING_BIN_DIR_SERVER)
     form = dict()
     form["call"] = "ok"
@@ -136,7 +136,7 @@ def test_call_ok():
 
 
 def test_call_err():
-    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIR",
+    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIRS",
                               _SERVER_SIDE_SCRIPTING_BIN_DIR_SERVER)
     form = dict()
     form["call"] = "err"
@@ -352,7 +352,7 @@ def test_anonymous_script_calling_not_permitted():
 
 
 def test_anonymous_script_calling_success():
-    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIR",
+    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIRS",
                               _SERVER_SIDE_SCRIPTING_BIN_DIR_SERVER)
     form = dict()
     form["call"] = "ok_anonymous"
@@ -379,3 +379,22 @@ def test_anonymous_script_calling_success():
     assert xml.xpath("/Response/script/stdout")[0].text == "ok_anonymous"
     assert xml.xpath("/Response/script/stderr")[0].text is None
     assert xml.xpath("/Response/script/@code")[0] == "0"
+
+
+def test_evil_path():
+    subdir = os.path.join(_SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL, "subdir")
+    if not os.path.exists(subdir):
+        os.makedirs(subdir)
+        _REMOVE_FILES_AFTERWARDS.append(subdir)
+    admin.set_server_property("SERVER_SIDE_SCRIPTING_BIN_DIRS",
+                              os.path.join(_SERVER_SIDE_SCRIPTING_BIN_DIR_SERVER,
+                                           "subdir"))
+
+    # ok exists one level up from "subdir"
+    assert os.path.exists(
+        os.path.join(
+            _SERVER_SIDE_SCRIPTING_BIN_DIR_LOCAL,
+            "ok"))
+
+    with raises(EntityDoesNotExistError):
+        r = run_server_side_script("../ok")