netrc + redirect credential leak

## Summary: Curl has a logic flaw in the way it processes netrc credentials when performing redirects. The redirect will pass along credentials specified for the original host to the redirection target under certain conditions, resulting in unexpected leak of credentials to the redirect target. ## Steps To Reproduce: 1. Have two sites `https://a` and `https://b`. `https://a` does 301 redirect to `https://b` 2. Have netrc file with the following: ``` machine a login alice password alicespassword default login bob ``` 3. `curl -L --netrc-file netrc -v https://a` Credentials `bob:alicespassword` will be sent to `https://b`. ## Suggested remediation When parsing netrc file during redirect, if a match is found clear the previous username and password. ## Note This flaw manifests itself if the netrc file matches the redirect target, but the entry omits password or both login & password. ## Impact Unexpected leak of credentials. If the login is specified for the redirect target host in netrc, only the password is leaked, if neither login or password is specified full credentials are leaked.