diff --git a/ChangeLog b/ChangeLog
index 368dc555ee..8ee3f02089 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,13 @@ Thu Feb  8 15:00:14 2007  Koichi Sasada  <ko1@atdot.net>
 	* common.mk: fix around vm_opts.h path
 	  and remove harmful argument passed to insns2vm.rb.
 
+Thu Feb  8 03:11:47 2007  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* lib/cgi.rb (CGI::unescapeHTML): invalid decoding for single
+	  unescaped ampersand.  a patch from Tietew
+	  <tietew+ruby-dev at tietew.net> in [ruby-dev:30292].
+	  fixed: [ruby-dev:30289]
+
 Wed Feb  7 23:25:31 2007  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* eval.c (specific_eval): suppress warning.
diff --git a/lib/cgi.rb b/lib/cgi.rb
index cb348596ea..b6e432eb48 100644
--- a/lib/cgi.rb
+++ b/lib/cgi.rb
@@ -367,13 +367,13 @@ class CGI
   #   CGI::unescapeHTML("Usage: foo &quot;bar&quot; &lt;baz&gt;")
   #      # => "Usage: foo \"bar\" <baz>"
   def CGI::unescapeHTML(string)
-    string.gsub(/&(.*?);/n) do
+    string.gsub(/&(amp|quot|gt|lt|\#[0-9]+|\#x[0-9A-Fa-f]+);/n) do
       match = $1.dup
       case match
-      when /\Aamp\z/ni           then '&'
-      when /\Aquot\z/ni          then '"'
-      when /\Agt\z/ni            then '>'
-      when /\Alt\z/ni            then '<'
+      when 'amp'                 then '&'
+      when 'quot'                then '"'
+      when 'gt'                  then '>'
+      when 'lt'                  then '<'
       when /\A#0*(\d+)\z/n       then
         if Integer($1) < 256
           Integer($1).chr