Wget CVE-2018-20483 - HTTP credentials leaked via user.xdg.origin.url xattr

Wget stores u->url (which is built with URL_AUTH_SHOW preserving username:password) into user.xdg.origin.url and user.xdg.referrer.url extended attributes on downloaded files. Files with HTTP/FTP basic-auth credentials leak those credentials to anyone who can read the file's xattrs, persisting across copies on xattr-aware filesystems.