FileZilla fixes show how far we’ve come since Heartbleed
Users of FileZilla, the popular open source FTP client, may have noticed a rather serious looking bug described in the change log for the latest update:
Filenames containing double-quotation marks were not escaped correctly when selected for opening/editing. Depending on the associated program, parts of the filename could be interpreted as commands.
Fixed in version 3.43.0, the flaw is one of seven separate security bugs whose discovery is credited to a bug bounty program run by the European Union, of all things.
The EU’s bureaucratic tentacles reach into many things, but a bit of freeware from an area when cover CDs were a thing still seems an odd place to find them.
Explaining why requires a brief trip down memory lane…