2 files changed, 14 insertions, 0 deletions

diff --git a/tests/fixtures/index.html b/tests/fixtures/index.html
new file mode 100644
index 000000000..a37df5790
--- /dev/null
+++ b/tests/fixtures/index.html
@@ -0,0 +1 @@
+<h1>DON'T GO HERE</h1>
diff --git a/tests/test_static.py b/tests/test_static.py
index af487fa24..97978f2a4 100644
--- a/tests/test_static.py
+++ b/tests/test_static.py
@@ -104,6 +104,19 @@ class Test_static_view_use_subpath_False(unittest.TestCase):
 
         self.assertRaises(HTTPNotFound, inst, context, request)
 
+    def test_oob_nul_char(self):
+        import os
+
+        inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static')
+        dds = '..\x00/'
+        request = self._makeRequest(
+            {'PATH_INFO': f'/{dds}'}
+        )
+        context = DummyContext()
+        from pyramid.httpexceptions import HTTPNotFound
+
+        self.assertRaises(HTTPNotFound, inst, context, request)
+
     def test_resource_doesnt_exist(self):
         inst = self._makeOne('tests:fixtures/static')
         request = self._makeRequest({'PATH_INFO': '/notthere'})