CVE-2024-38428: wget url_skip_credentials semicolon causes hostname confusion

In wget src/url.c, the function url_skip_credentials (lines 525-534) uses strpbrk(url, "@/?#;") to locate the credential '@' delimiter. The semicolon ';' is included in the scan set because FTP URLs use it as a params separator. However, RFC 2396 explicitly allows ';' as a valid character inside the userinfo component. When a URL like http://user;info@real-host.com/ is processed: strpbrk finds ';' before '@', *p != '@' causes the function to return the original pointer (treating the URL as having no credentials). url_parse then sets host_b to the un-advanced pointer, and for HTTP (where ';' is not in seps), extracts the entire 'user;info@real-host.com' string as the hostname. wget then does DNS lookup on this malformed string, causing hostname confusion — the URL appears to target real-host.com but wget does not connect there. This is CVE-2024-38428, fixed in wget 1.24.5.