diff -u b/includes/common.inc b/includes/common.inc
--- b/includes/common.inc
+++ b/includes/common.inc
@@ -3740,7 +3740,7 @@
   }
 
   // Prefix with base and remove '../' segments where possible.
-  $path = $_base . $matches[1];
+  $path = isset($matches[1]) ? $_base . $matches[1] : $_base;
   $last = '';
   while ($path != $last) {
     $last = $path;
only in patch2:
unchanged:
--- a/includes/request-sanitizer.inc
+++ b/includes/request-sanitizer.inc
@@ -99,7 +99,8 @@ class DrupalRequestSanitizer {
   protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
     if (is_array($input)) {
       foreach ($input as $key => $value) {
-        if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
+        $_key = (string) $key;
+        if ($_key !== '' && $_key[0] === '#' && !in_array($key, $whitelist, TRUE)) {
           unset($input[$key]);
           $sanitized_keys[] = $key;
         }