diff --git a/kdc/connect.c b/kdc/connect.c
index deb772e3c..c7b9c6d8c 100644
--- a/kdc/connect.c
+++ b/kdc/connect.c
@@ -493,7 +493,7 @@ de_http(char *buf)
 {
     char *p, *q;
     for(p = q = buf; *p; p++, q++) {
-	if(*p == '%') {
+	if(*p == '%' && isxdigit(p[1]) && isxdigit(p[2])) {
 	    unsigned int x;
 	    if(sscanf(p + 1, "%2x", &x) != 1)
 		return -1;