CVE-2018-20483: wget stores plaintext credentials in POSIX extended file attributes

In wget v1.19, when built with ENABLE_XATTR and the --xattr flag is active, wget calls set_file_metadata(u->url, original_url->url, fp) in both http.c and ftp.c after downloading a file. u->url is populated via url_string(u, URL_AUTH_SHOW), which reconstructs the full URL including plaintext embedded credentials (user:password@host). These credential-bearing URLs are written verbatim to the file's POSIX extended attributes as 'user.xdg.origin.url' and 'user.xdg.referrer.url'. Any local user or process able to read the downloaded file's xattrs can recover the plaintext password via getfattr.