CVE-2018-20483: wget --xattr leaks credentials via user.xdg.origin.url

wget v1.12+ with --xattr (compiled with USE_XATTR / ENABLE_XATTR) writes the full request URL to the POSIX extended attribute user.xdg.origin.url (and user.xdg.referrer.url) on the downloaded file. The URL passed in is u->url, which is built by url_string(u, URL_AUTH_SHOW) so it still contains userinfo (user:password@). When a user runs wget --xattr https://alice:s3cret@example.com/file, the cleartext password is persisted in the file's xattr and recoverable by anyone who can read the file (other local users, recipients of the file copied with cp -a, tar --xattrs, or rsync -X).

Call chain: main -> retrieve_url -> fd_write_body -> set_file_metadata. Sites:

• src/http.c:3953-3955 — set_file_metadata(u->url, original_url->url, fp);
• src/ftp.c:1584 — set_file_metadata(u->url, NULL, fp);
• src/xattr.c:60-79 — set_file_metadata writes user.xdg.origin.url / user.xdg.referrer.url via fsetxattr.