diff --git a/lib/backend.py b/lib/backend.py
index 44e45f63ad164c56164804f9ed8e8025263f3b94..30984b38feaf31e2f3fa9d673c1c3180f04c2418 100644
--- a/lib/backend.py
+++ b/lib/backend.py
@@ -1658,10 +1658,11 @@ def OSFromDisk(name, base_dir=None):
   """
   if base_dir is None:
     os_dir = utils.FindFile(name, constants.OS_SEARCH_PATH, os.path.isdir)
-    if os_dir is None:
-      raise errors.InvalidOS(name, None, "OS dir not found in search path")
   else:
-    os_dir = os.path.sep.join([base_dir, name])
+    os_dir = utils.FindFile(name, [base_dir], os.path.isdir)
+
+  if os_dir is None:
+    raise errors.InvalidOS(name, None, "OS dir not found in search path")
 
   api_versions = _OSOndiskVersion(name, os_dir)
 
diff --git a/lib/utils.py b/lib/utils.py
index df2d18027e83b7783e146cbbe58f7efa92317980..bcd8e107bbc44ff94a4bc3dc405b5547719f001d 100644
--- a/lib/utils.py
+++ b/lib/utils.py
@@ -1633,9 +1633,17 @@ def FindFile(name, search_path, test=os.path.exists):
   @return: full path to the object if found, None otherwise
 
   """
+  # validate the filename mask
+  if constants.EXT_PLUGIN_MASK.match(name) is None:
+    logging.critical("Invalid value passed for external script name: '%s'",
+                     name)
+    return None
+
   for dir_name in search_path:
     item_name = os.path.sep.join([dir_name, name])
-    if test(item_name):
+    # check the user test and that we're indeed resolving to the given
+    # basename
+    if test(item_name) and os.path.basename(item_name) == name:
       return item_name
   return None