diff --git a/actionpack/lib/action_controller/url_rewriter.rb b/actionpack/lib/action_controller/url_rewriter.rb
index d2b324da968abb60992cbaf98703787693beb797..66b77e405f21c63c695e3248ccd0526013b071df 100644
--- a/actionpack/lib/action_controller/url_rewriter.rb
+++ b/actionpack/lib/action_controller/url_rewriter.rb
@@ -111,7 +111,7 @@ def rewrite_path(options)
       
       def rewrite_authentication(options)
         if options[:user] && options[:password]
-          "#{options.delete(:user)}:#{options.delete(:password)}@"
+          "#{CGI.escape(options.delete(:user))}:#{CGI.escape(options.delete(:password))}@"
         else
           ""
         end
diff --git a/actionpack/test/controller/url_rewriter_test.rb b/actionpack/test/controller/url_rewriter_test.rb
index 178f44f15f8a513f3457a461ed389c084e53fbf6..fb3e318ffd20a3bf507418a280cf74a38beef341 100644
--- a/actionpack/test/controller/url_rewriter_test.rb
+++ b/actionpack/test/controller/url_rewriter_test.rb
@@ -29,7 +29,14 @@ def test_user_name_and_password
       @rewriter.rewrite(:user => "david", :password => "secret", :controller => 'c', :action => 'a', :id => 'i')
     )
   end
-  
+
+  def test_user_name_and_password_with_escape_codes
+    assert_equal(
+      'http://openid.aol.com%2Fnextangler:one+two%3F@test.host/c/a/i',
+      @rewriter.rewrite(:user => "openid.aol.com/nextangler", :password => "one two?", :controller => 'c', :action => 'a', :id => 'i')
+    )
+  end
+
   def test_overwrite_params
     @params[:controller] = 'hi'
     @params[:action] = 'bye'