Unchecked CRLF in filename allows to inject FTP commands.
vulners.com/securityvulns/securityvulns:doc:16443