CVE-2018-20483: Wget stores credentials in extended file attributes (information-leak)

Wget (v1.19) stores the full origin URL — including embedded username and password — in POSIX extended file attributes (xattr) when the --xattr / --enable-xattr option is used. When a user downloads a file from a URL like http://alice:secret@example.com/file, the extended attribute user.xdg.origin.url of the saved file will contain the plaintext credential alice:secret. Any local user or process with read access to the file can extract these credentials with getfattr or attr. The bug affects both HTTP (src/http.c) and FTP (src/ftp.c) downloads.