CVE-2024-38428: GNU Wget url_skip_credentials() treats ';' as userinfo terminator

CVE-2024-38428 — GNU Wget through 1.24.5 mishandles the ';' character when locating the userinfo/host boundary in a URL. In src/url.c, url_skip_credentials() calls strpbrk(url, "@/?#;") and concludes 'no credentials' if the first stop character is anything other than '@'. Because ';' is in the delimiter set, a URL like http://victim.example;@attacker.example/path makes wget stop at ';', see *p != '@', and return the URL unchanged. url_parse() then treats the entire victim.example;@attacker.example as the host. RFC 3986 lists ';' as a sub-delim that is legal inside the userinfo subcomponent; other URL parsers (browsers, proxies, allow-list filters, RFC-compliant servers) split userinfo at '@' regardless of ';'. The result is a parser differential / hostname confusion: wget connects to one host while logs, security filters, and downstream tools see a different host — enabling SSRF bypass, allow-list circumvention, and credential leakage.