CVE-2024-38428: wget url_skip_credentials semicolon/multi-@ hostname confusion

Wget before 1.25.0 (tested on v1.24 repo). In src/url.c, function url_skip_credentials (lines 525-534), the call strpbrk(url, "@/?#;") includes semicolon ; in the search set. This causes two URL-parsing bugs:

1. Semicolon in userinfo bug: For http://user;pass@host.com/, strpbrk finds ; before @. Since *p != '@', function returns without skipping credentials. uname_b == uname_e in url_parse, so no credentials extracted. HTTP host parser (seps=":/?#", no ;) then produces host "user;pass@host.com" — the full userinfo+host string. Wget connects to this malformed hostname.

2. Multiple @ signs bug: For http://user@evil.com@victim.com/, strpbrk finds FIRST @. host_b = "evil.com@victim.com/". HTTP seps terminates at /, so host = "evil.com@victim.com" (contains @). Wget tries to resolve the wrong hostname. The repo contains a poc_test.c confirming this behavior.