CVE-2018-20483: wget --xattr leaks HTTP Basic-Auth credentials into user.xdg.origin.url

CVE-2018-20483 — wget ≤1.19 with --xattr (or opt.enable_xattr) persists the raw origin URL into the user.xdg.origin.url POSIX extended attribute of the downloaded file. The raw URL includes any HTTP/FTP basic-auth credentials the user embedded in it (e.g. http://user:password@host/path). Because user.* xattrs are readable by anyone who can read the file, the credentials leak to other local users, archive recipients, hosting providers, etc. The same issue applies to the user.xdg.referrer.url xattr written when redirects occur. Bug class: information-leak. Call chain hint from the briefing: main -> retrieve_url -> fd_write_body -> set_file_metadata.

Steps:

1. grep -rn set_file_metadata src/ → src/xattr.c (definition), src/http.c, src/ftp.c (callers).
2. Read src/xattr.c lines 59-79: set_file_metadata calls write_xattr_metadata("user.xdg.origin.url", escnonprint_uri(origin_url), fp) which delegates to fsetxattr(fd, name, value, strlen(value), 0).
3. Read src/http.c around line 3949-3956: callers pass u->url (and original_url->url) directly — the raw URL string the user supplied.
4. Read src/ftp.c around line 1582-1585: same pattern — set_file_metadata(u->url, NULL, fp).
5. Confirm u->url is the raw original URL: src/url.h line 83 — char *url; /* Original URL */ inside struct url. The struct also has separate user/passwd fields (lines 99-101), which means the userinfo is NOT stripped from url.
6. wget already has a credential-redacting helper: src/url.h line 59-63 defines enum url_auth_mode { URL_AUTH_SHOW, URL_AUTH_HIDE_PASSWD, URL_AUTH_HIDE } and line 129 declares char *url_string(const struct url *, enum url_auth_mode); — but set_file_metadata never calls it.

Useful grep patterns: grep -rn 'set_file_metadata' src/ grep -n 'struct url' src/url.h grep -n 'url_auth_mode|URL_AUTH_' src/url.h