diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
index f5d7729b..4d6495ad 100644
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@@ -1058,8 +1058,11 @@ module Sinatra
     # Attempt to serve static files from public directory. Throws :halt when
     # a matching file is found, returns nil otherwise.
     def static!(options = {})
-      return if (public_dir = settings.public_folder).nil?
-      path = File.expand_path("#{public_dir}#{URI_INSTANCE.unescape(request.path_info)}" )
+      return if (public_dir = settings.public_folder).nil?      
+      path = "#{public_dir}#{URI_INSTANCE.unescape(request.path_info)}"
+      return unless valid_path?(path)
+      
+      path = File.expand_path(path)
       return unless File.file?(path)
 
       env['sinatra.static_file'] = path
diff --git a/test/static_test.rb b/test/static_test.rb
index 1c6cb35e..5c166af6 100644
--- a/test/static_test.rb
+++ b/test/static_test.rb
@@ -59,6 +59,11 @@ class StaticTest < Minitest::Test
     assert not_found?
   end
 
+  it 'passes to the next handler when the path contains null bytes' do
+    get "/foo%00"
+    assert not_found?
+  end
+
   it 'passes to the next handler when the static option is disabled' do
     @app.set :static, false
     get "/#{File.basename(__FILE__)}"