wget --xattr leaks Basic-auth credentials into POSIX xattrs (CVE-2018-20483)

GNU wget v1.19 with --xattr leaks HTTP/FTP Basic credentials and query-string secrets into the downloaded file's POSIX extended attributes (user.xdg.origin.url and user.xdg.referrer.url). The original URL containing userinfo (user:password@host) and any sensitive query parameters is copied verbatim into xattrs in src/xattr.c set_file_metadata(), called from src/http.c:3953/3955 and src/ftp.c:1584, where it persists and is readable by anyone with read access to the file.