From 9a5598f56633c098c13404e235cb13e32683b8c0 Mon Sep 17 00:00:00 2001
From: Diogo Baeder <diogobaeder@yahoo.com.br>
Date: Thu, 17 Dec 2015 18:56:43 -0200
Subject: Returning HTTP 404 for static serving when the requested path has
 null bytes

---
 cherrypy/lib/static.py       | 2 +-
 cherrypy/test/test_static.py | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/cherrypy/lib/static.py b/cherrypy/lib/static.py
index a630dae6..a26dd4ac 100644
--- a/cherrypy/lib/static.py
+++ b/cherrypy/lib/static.py
@@ -49,7 +49,7 @@ def serve_file(path, content_type=None, disposition=None, name=None,
 
     try:
         st = os.stat(path)
-    except OSError:
+    except (OSError, TypeError):
         if debug:
             cherrypy.log('os.stat(%r) failed' % path, 'TOOLS.STATIC')
         raise cherrypy.NotFound()
diff --git a/cherrypy/test/test_static.py b/cherrypy/test/test_static.py
index 0526844f..3d6f07bf 100644
--- a/cherrypy/test/test_static.py
+++ b/cherrypy/test/test_static.py
@@ -119,7 +119,7 @@ class StaticTest(helper.CPWebCase):
                     pass
     teardown_server = staticmethod(teardown_server)
 
-    def testStatic(self):
+    def test_static(self):
         self.getPage("/static/index.html")
         self.assertStatus('200 OK')
         self.assertHeader('Content-Type', 'text/html')
@@ -333,6 +333,10 @@ class StaticTest(helper.CPWebCase):
         self.assertStatus(404)
         self.assertInBody("I couldn't find that thing")
 
+    def test_null_bytes(self):
+        self.getPage("/static/\x00")
+        self.assertStatus('404 Not Found')
+
 def error_page_404(status, message, traceback, version):
     import os.path
     return static.serve_file(os.path.join(curdir, 'static', '404.html'),
-- 
cgit v1.2.1