CVE-2018-20483: wget --xattr leaks URL credentials into extended file attributes

When wget downloads a file with --xattr enabled (opt.enable_xattr), it stores the origin URL in the POSIX extended attribute user.xdg.origin.url via set_file_metadata() in src/xattr.c. The URL passed to this function is u->url, which is built using url_string(u, URL_AUTH_SHOW) in url.c line 954 — a mode that embeds plaintext credentials (user:password) directly in the URL string. The same issue affects the referrer URL stored in user.xdg.referrer.url, and the FTP download path (ftp.c line 1584). Any local user with read access to the downloaded file can recover the credentials via getfattr.