The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks.

However, it turns out that the built-in implementation of the FTP client in Java doesn’t filter out special CR (carriage return) and LF (line feed) characters from URLs and actually interprets them.