CVE-2018-20483: wget leaks URL credentials into POSIX extended file attributes (xattrs)

When wget downloads a file from a URL containing embedded credentials (e.g., ftp://user:password@host/path or http://user:password@host/path), it stores the full original URL — including the plaintext password — as a POSIX extended file attribute (user.xdg.origin.url) on the downloaded file. Any local user or process with read access to the file can retrieve the credentials with: getfattr -n user.xdg.origin.url file.txt