--- wget-1.10.2/src/ftp-basic.c	2005-06-19 15:47:10.000000000 +0200
+++ wget-1.10.2/src/ftp-basic.c	2006-12-23 08:31:05.000000000 +0100
@@ -1032,12 +1032,62 @@
       return FTPSRVERR;
     }
 
+  /* At this point check if respline follows a valid ftp server
+   *  response. Use loops: better, faster and no overhead pushing and popping.
+   * 
+   * Format: "XXX Y...Y"
+   *
+   * XXX: Three digits -- Ftp control code
+   * Y...Y: String -- System name (rfc943)
+   */
+
+  int l = 0;
+  char *p = respline;
+  while (*p++ != 0) l++;
+
+  /* We allow using NO system name at all, but nothing less */
+  if (l < 3)
+  {
+    xfree(respline);
+    return FTPSRVERR;
+  }
+
   /* Skip the number (215, but 200 (!!!) in case of VMS) */
-  strtok (respline, " ");
+
+  /* Check if they are actually numbers */
+  /* ord('0') = 48 */
+  /* ord('9') = 57 */
+  int i;
+  for (i = 0; i < 3; i++)
+    if (!((respline[i] >= 48) && (respline[i] <= 57)))
+      break;
+
+  if (i != 3)
+  {
+    xfree(respline);
+    return FTPSRVERR;
+  }
+
+  p = respline + 3;
+
+  /* Check for correct number of chars */
+  if (l > 3)
+    if (*p != ' ')
+    {
+      xfree(respline);
+      return FTPSRVERR;
+    }
+
+  /* Skip spaces until some char is found (or end) */
+  while ((*p != 0) && (*p == ' ')) p++;
+
+  /* Warning: No spaces in system name allowed (see rfc810) */
+  /* NOTE: If no system name is given p points to an empty string, that is, '\0' */
 
   /* Which system type has been reported (we are interested just in the
      first word of the server response)?  */
-  request = strtok (NULL, " ");
+  
+  request = p;
 
   if (!strcasecmp (request, "VMS"))
     *server_type = ST_VMS;