diff --git a/src/ChangeLog b/src/ChangeLog
index d5044c72..29ab9f30 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2005-05-07  Hrvoje Niksic  <hniksic@xemacs.org>
+
+	* ftp-basic.c (ftp_request): Prevent newlines in VALUE causing
+	inadvertent sending of multiple FTP commands.
+
 2005-05-07  Hrvoje Niksic  <hniksic@xemacs.org>
 
 	* url.c (decide_copy_method): Never cause reencode_escapes to
diff --git a/src/ftp-basic.c b/src/ftp-basic.c
index c6df9b88..379a6eab 100644
--- a/src/ftp-basic.c
+++ b/src/ftp-basic.c
@@ -103,7 +103,27 @@ ftp_request (const char *command, const char *value)
 {
   char *res;
   if (value)
-    res = concat_strings (command, " ", value, "\r\n", (char *) 0);
+    {
+      /* Check for newlines in VALUE (possibly injected by the %0A URL
+	 escape) making the callers inadvertently send multiple FTP
+	 commands at once.  Without this check an attacker could
+	 intentionally redirect to ftp://server/fakedir%0Acommand.../
+	 and execute arbitrary FTP command on a remote FTP server.  */
+      if (strpbrk (value, "\r\n"))
+	{
+	  /* Copy VALUE to the stack and modify CR/LF to space. */
+	  char *defanged, *p;
+	  STRDUP_ALLOCA (defanged, value);
+	  for (p = defanged; *p; p++)
+	    if (*p == '\r' || *p == '\n')
+	      *p = ' ';
+	  DEBUGP (("\nDetected newlines in %s \"%s\"; changing to %s \"%s\"\n",
+		   command, escnonprint (value), command, escnonprint (defanged)));
+	  /* Make VALUE point to the defanged copy of the string. */
+	  value = defanged;
+	}
+      res = concat_strings (command, " ", value, "\r\n", (char *) 0);
+    }
   else
     res = concat_strings (command, "\r\n", (char *) 0);
   if (opt.server_response)