diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
index 8f0d00c7cd..4b5fbb0ce2 100644
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@@ -1090,6 +1090,7 @@ def static!(options = {})
       return unless valid_path?(path)
 
       path = File.expand_path(path)
+      return unless path.start_with?(File.expand_path(public_dir) + '/')
       return unless File.file?(path)
 
       env['sinatra.static_file'] = path
diff --git a/test/static_test.rb b/test/static_test.rb
index 71ed5eb055..cefe55f9c1 100644
--- a/test/static_test.rb
+++ b/test/static_test.rb
@@ -97,6 +97,7 @@ class StaticTest < Minitest::Test
     mock_app do
       set :static, true
       set :public_folder, __dir__ + '/data'
+      disable :protection
     end
     get "/../#{File.basename(__FILE__)}"
     assert not_found?