CVE-2018-20483 - Information Leak via Extended File Attributes in wget

wget stores metadata about downloaded files in extended file attributes (xattr) using the --xattr option. The set_file_metadata() function in src/xattr.c stores the complete origin URL and referrer URL in extended attributes (user.xdg.origin.url and user.xdg.referrer.url) without sanitizing sensitive information. URLs frequently contain sensitive data such as API keys, authentication tokens, session IDs, OAuth credentials, or authentication credentials. These extended attributes are readable by any local user with filesystem access, creating an information leak vulnerability.