File bad-metadata-CVE-2018-20483.patch of Package wget.10861

Index: wget-1.19.5/src/ftp.c
===================================================================
--- wget-1.19.5.orig/src/ftp.c
+++ wget-1.19.5/src/ftp.c
@@ -1580,7 +1580,7 @@ Error in server response, closing contro
 
 #ifdef ENABLE_XATTR
   if (opt.enable_xattr)
-    set_file_metadata (u->url, NULL, fp);
+    set_file_metadata (u, NULL, fp);
 #endif
 
   fd_close (local_sock);
Index: wget-1.19.5/src/http.c
===================================================================
--- wget-1.19.5.orig/src/http.c
+++ wget-1.19.5/src/http.c
@@ -4124,9 +4124,9 @@ gethttp (const struct url *u, struct url
   if (opt.enable_xattr)
     {
       if (original_url != u)
-        set_file_metadata (u->url, original_url->url, fp);
+        set_file_metadata (u, original_url, fp);
       else
-        set_file_metadata (u->url, NULL, fp);
+        set_file_metadata (u, NULL, fp);
     }
 #endif
 
Index: wget-1.19.5/src/xattr.c
===================================================================
--- wget-1.19.5.orig/src/xattr.c
+++ wget-1.19.5/src/xattr.c
@@ -22,6 +22,7 @@
 
 #include "log.h"
 #include "xattr.h"
+#include "utils.h"
 
 #ifdef USE_XATTR
 
@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name,
 #endif /* USE_XATTR */
 
 int
-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
+set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp)
 {
   /* Save metadata about where the file came from (requested, final URLs) to
    * user POSIX Extended Attributes of retrieved file.
@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_ur
    * [http://0pointer.de/lennart/projects/mod_mime_xattr/].
    */
   int retval = -1;
+  char *value;
 
   if (!origin_url || !fp)
     return retval;
 
-  retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp);
-  if ((!retval) && referrer_url)
-    retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp);
+  value = url_string (origin_url, URL_AUTH_HIDE);
+  retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp);
+  xfree (value);
+
+  if (!retval && referrer_url)
+    {
+        struct url u;
+
+        memset(&u, 0, sizeof(u));
+      u.scheme = referrer_url->scheme;
+      u.host = referrer_url->host;
+      u.port = referrer_url->port;
+
+      value = url_string (&u, 0);
+      retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp);
+      xfree (value);
+    }
 
   return retval;
 }
Index: wget-1.19.5/src/xattr.h
===================================================================
--- wget-1.19.5.orig/src/xattr.h
+++ wget-1.19.5/src/xattr.h
@@ -16,12 +16,13 @@
    along with this program; if not, see <http://www.gnu.org/licenses/>.  */
 
 #include <stdio.h>
+#include <url.h>
 
 #ifndef _XATTR_H
 #define _XATTR_H
 
 /* Store metadata name/value attributes against fp. */
-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp);
+int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp);
 
 #if defined(__linux)
 /* libc on Linux has fsetxattr (5 arguments). */