Wget 1.19 with --xattr (opt.enable_xattr) writes the raw download URL into the POSIX extended attribute user.xdg.origin.url (and user.xdg.referrer.url) of every saved file. The URL is taken straight from struct url's u->url field, which preserves embedded HTTP Basic credentials of the form https://user:password@host/path. user.* xattrs are world-readable on Linux and survive cp/tar/scp, so any local user — or any later recipient of the file — can run getfattr -d <file> and recover the cleartext username and password. This is CVE-2018-20483, an information-leak vulnerability. 1. Followed the call-chain hint main -> retrieve_url -> fd_write_body -> set_file_metadata. 2. grep -rn set_file_metadata src/ located src/xattr.c (definition) and call sites in src/http.c:3953 and src/ftp.c:1584. 3. Read src/xattr.c lines 59-79: set_file_metadata only runs origin_url/referrer_url through escnonprint_uri() (escapes nonprintables) before fsetxattr — no userinfo stripping. 4. Inspected struct url in src/url.h:81-106 — char *url is the original URL string (set by url_string(u, URL_AUTH_SHOW) in src/url.c:954,1188), so credentials remain intact. 5. Compared with safe call sites: grep -n url_string src/*.c showed src/http.c:4116/4298/4317 and src/ftp.c:1945/2048 and src/recur.c:452/582 all use URL_AUTH_HIDE_PASSWD or URL_AUTH_HIDE for logging/referer — but the xattr writer skips that scrubbing step, which is the bug. 6. Caller in src/http.c:3949-3956 passes u->url and original_url->url verbatim; src/ftp.c:1584 passes u->url verbatim. Both reach set_file_metadata unscrubbed. Strip the userinfo before persisting. Two equivalent fixes:

(A) Caller-side: change src/http.c:3953-3955 and src/ftp.c:1584 to pass url_string(u, URL_AUTH_HIDE) (free the buffer afterwards) instead of u->url / original_url->url.

(B) Callee-side: in src/xattr.c set_file_metadata, re-parse the incoming URL with url_parse() and serialize via url_string(u, URL_AUTH_HIDE) before write_xattr_metadata, so even non-wget callers can't leak.

Upstream wget addressed this in 1.20 by sanitizing the URL passed to xattr.

Exploit / verification PoC: wget --xattr 'http://alice:hunter2@127.0.0.1:8000/secret' -O /tmp/loot getfattr -d /tmp/loot

user.xdg.origin.url="http://alice:hunter2@127.0.0.1:8000/secret"

Generalization: any code that persists a "source URL" as metadata (xattrs, EXIF, ID3, document properties, telemetry, audit logs, .desktop files, downloaded-file attributes) must use a redacted serializer at the persistence boundary — not just for user-facing logs. Verified by tracing the data flow: u->url is set by url_string(u, URL_AUTH_SHOW) at src/url.c:954 and src/url.c:1188, which preserves user:passwd; set_file_metadata performs no auth-mode scrubbing; fsetxattr writes user.xdg.origin.url which is world-readable on Linux ext4/xfs by default. Compared with src/recur.c:452 and src/http.c:4116 which use URL_AUTH_HIDE / URL_AUTH_HIDE_PASSWD specifically to avoid this leak in logs. data