Sending a "GET /\0" causes a TypeEror to be raised and the connection to be unexpectedly closed. 

$ python -m SimpleHTTPServer 8000
$ printf "GET /\00" | nc localhost 8000

TypeError: must be encoded string without NULL bytes, not str
----------------------------------------

I think raising a 400 error should be fine. Also, shouldn't the error message contain a repr(string)?

[From http://corte.si/posts/code/pathod/pythonservers/index.html]

Note: on python3, the error is 
  File "/[...]/cpython/Lib/genericpath.py", line 41, in isdir
    st = os.stat(s)
TypeError: embedded NUL character
(same exception but different message.)

I don't know where to start fixing, because the documentation for os.stat says "Perform the equivalent of a stat() system call on the given path.", which is not exactly the correct behavior in this case.

I see that 
$ printf "/\00" | xargs stat
stat()s correctly the root directory, and
$ printf "/\00tmp" | xargs stat
stat()s still '/'. So, is this a bug of os.stat?

Noising some coredevs.

There has been some discussion about what the correct behavior of os.stat is, as well, I think.  Alex Gaynor raised a question about testing our behavior when nulls are present.

But clearly, if the desired behavior for url processing is different from the actual behavior of os.stat, you need to catch the error and turn it into the correct response.  I don't think we can change this aspect of the behavior of os.stat for a bug fix, even if we decide we want to.

Attaching tests that asserts the issue, and a patch for http.server. 
Works on tip.
Should be ported also to 2.x?

Note: that 'f = None' is unnecessary, maybe an isolated commit for that?

Is this really a security issue? If so, that should be explained.

Well, it is a security issue IMO, but not particularly harmful. But certainly that's not a RFC violation, since I'm not sending rfc-compliant packets.[0]  

The best an attacker could do is to DDoS the server running HTTPServer: tracebacks may open file descriptors and/or send emails to the sysadmin, and hence the attacker could flood the server opening new file descriptors, or the email box.[0]
At least, this is the worst thing that came to my mind discussing with exarkun. 

[0] https://twistedmatrix.com/trac/ticket/6029

This does not seem to qualify as a security issue.

Still is an issue, though. Exported on the current tip.