http: clear credentials better on redirect

[bagder]

Verify with test 2506: netrc with redirect using proxy

Updated test 998 which was wrong.

Reported-by: Muhamad Arga Reksapati

[Copilot]

Pull request overview

Updates libcurl’s HTTP redirect handling to more reliably clear credentials on cross-origin redirects (including netrc-derived creds), and adds regression tests for proxy + redirect scenarios.

Changes:

• Adjust Curl_http_follow() credential-reset logic during redirects.
• Add new libtest + test case 2506 covering netrc credentials with redirects through an HTTP proxy.
• Correct test998 expectations so redirected request no longer includes the original Authorization header.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
lib/http.c	Refactors redirect auth clearing using same-origin detection and resets credentials accordingly.
tests/libtest/lib2506.c	Adds a new libcurl-driven test client for the new testcase.
tests/libtest/Makefile.inc	Registers lib2506.c in the libtest build.
tests/data/test2506	New testcase verifying netrc auth is not sent after redirect when using a proxy.
tests/data/test998	Fixes incorrect expectation: redirected request should not carry Authorization.
tests/data/Makefile.am	Registers test2506 in the test suite manifest.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[testclutch]

Analysis of PR #21345 at a4c1a273:

Test 2506 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 6 different CI jobs (the link just goes to one of them).

Generated by Testclutch