wget CVE-2018-20483: Information leak via embedded credentials in extended file attributes

When wget downloads a file from a URL containing embedded credentials (userinfo component like http://user:password@host), the full URL including the credentials is stored in POSIX extended attributes (xattr) of the downloaded file via set_file_metadata(). Extended attributes can be read by other users on the system, leaking sensitive authentication information.