FTP LIST parser uses unbounded date token copy before strptime

In Wget's FTP LIST parser, server-controlled tokens are accumulated into a fixed 32-byte stack buffer named date_str. The code enters the date branch for any token containing '-' and shorter than 12 bytes, then performs strcpy(date_str, tok); strcat(date_str, " "); before later parsing the result with strptime(). This is an unsafe trust of remote listing syntax and creates a stack-buffer overflow primitive if the attacker can make the parser accept a longer-than-expected sequence of date-like tokens or otherwise extend the accumulated string.