[security] Do not store username/password in extended attributes when enabling --xattr flag

[sidhpurwala-huzaifa]

https://nvd.nist.gov/vuln/detail/CVE-2018-20483 contains the relevant information, can be reproduced by:

[huzaifas@babylon test]$ curl http://user1:redhat@localhost -o file --xattr
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

[huzaifas@babylon test]$ getfattr curl
getfattr: curl: No such file or directory
[huzaifas@babylon test]$ getfattr file
# file: file
user.mime_type
user.xdg.origin.url

[huzaifas@babylon test]$ getfattr -n user.xdg.origin.url file
# file: file
user.xdg.origin.url="http://user1:redhat@localhost/"

[bagder]

This is a security issue for wget because they didn't require a flag for this action like curl does. I agree we should strip off the credentials when storing the url but the security impact of the current behavior is not like the wget CVE.

[danielgustafsson]

On 2 Jan 2019, at 10:14, Daniel Stenberg ***@***.***> wrote: This is a security issue for wget because they didn't require a flag for this action like curl does. I agree we should strip off the credentials when storing the url but the security impact of the current behavior is not like the wget CVE.

Unless someone is interested in hacking on this now, I suggest that we add this to the TODO.

[bagder]

I had some time over on a flight yesterday so there's a PR coming from me for this...