CVE-2018-20483: wget --xattr leaks URL credentials into user.xdg.origin.url extended attribute

wget v1.19 with --enable-xattr persists the originating download URL into the file's user.xdg.origin.url POSIX extended attribute via set_file_metadata() in src/xattr.c. The URL passed in (u->url from http.c:3953/3955 and ftp.c:1584) is the full unsanitized URL string, which may contain HTTP Basic Auth credentials in the userinfo component (https://user:pass@host/...) or sensitive query parameters (api_key, token). escnonprint_uri() only escapes non-printable bytes; it does NOT strip credentials. xattrs in the user.* namespace are world-readable, so any local user can run getfattr -d on the downloaded file and recover the credentials. This is an information-leak vulnerability: secrets that were only transmitted over TLS to the server are now exposed to every local UID with read access to the file.