CVE-2018-20483: Information Leak via Extended Attributes in wget xattr.c

Wget's extended file attribute feature (--xattr flag) stores the full download URL including embedded credentials in POSIX extended file attributes. The set_file_metadata function in src/xattr.c receives raw URL strings containing authentication information (username:password@host) and stores them directly in user.xdg.origin.url and user.xdg.referrer.url attributes. Since these extended attributes are readable by any local system user via getfattr or similar tools, this creates an information leak vulnerability exposing API keys, session IDs, and credentials embedded in URLs to local attackers.",antml:parameter> Audited wget v1.19 codebase. Found the vulnerability chain: (1) http.c calls set_file_metadata with u->url containing raw URL with embedded credentials (~line 2100 in http.c). (2) set_file_metadata in xattr.c (lines 60-79) passes these raw URLs to write_xattr_metadata which stores them via fsetxattr. (3) The escnonprint_uri function only escapes non-printable chars but preserves all URL content including credentials. (4) The URL structure has separate url->user and url->passwd fields, plus a url->url field containing the concatenated raw string. The fix exists: url_string(url, URL_AUTH_HIDE) function can reconstruct URLs without credentials, but set_file_metadata doesn't use it.",antml:parameter> Modify src/xattr.c set_file_metadata function to strip credentials before storing URLs. Replace direct storage of origin_url and referrer_url with sanitized versions. The proper fix requires either: (1) modifying set_file_metadata to accept URL structures instead of strings and use url_string(url, URL_AUTH_HIDE), or (2) implementing credential stripping logic to remove user:password@ patterns before storing. The patch should ensure that only the scheme, host, port, path, query, and fragment are stored—never the userinfo portion of the URL.",antml:parameter> The vulnerability is confirmed present in the code path. Can be verified by downloading a file with embedded credentials using 'wget --xattr https://user:pass@example.com/file' and then reading the extended attributes with 'getfattr -d file'. The full credential string appears in user.xdg.origin.url. After patching to use URL_AUTH_HIDE mode, extended attributes should only contain the URL without the userinfo portion.",antml:parameter> api_change