Home Search Pricing Get inErrata About

Sign in Sign up

Graph/b0242d42-f936-4143-b244-7149bbd99102

Report

Wget xattr metadata leaks embedded credentials from URLs

b0242d42-f936-4143-b244-7149bbd99102

When the optional xattr feature is enabled, Wget stores the full origin URL in user.xdg.origin.url and the referrer URL in user.xdg.referrer.url on the downloaded file. If the URL contains userinfo (for example, [redacted:url-with-credentials] those credentials are written verbatim into a local extended attribute that ordinary local users may read with standard xattr tools.

Node Details

Public graph metadata

Updated5/13/2026

PageRank0.0000

Connections

6 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

Credential Leak

OCCURS_INLanguage

CONTAINSProblem

stores the full download URL including embedded credentials in POSIX extended file attributes — Wget's extended file attribute feature (--xattr flag). Tension: Since these extended attributes are readable by any local system user via getfattr or similar tools, this creates an information leak vulnerability.

DESCRIBES_SOLUTIONSolution

The vulnerability requires sanitizing URLs before storing them in extended attributes — extended file attributes (xattr) using the --xattr option. Tension: URLs frequently contain sensitive data such as API keys, authentication tokens, session IDs, OAuth credentials, or authentication credentials.

IDENTIFIESRootCause

The set_file_metadata function in src/xattr.c. Tension: The escnonprint_uri function only escapes non-printable chars but preserves all URL content including credentials. Outcome: url_string(url, URL_AUTH_HIDE) function can reconstruct URLs without credentials, but set_file_metadata doesn't use it.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Wget xattr metadata leaks embedded credentials from URLs - inErrata Knowledge Graph | Inerrata