curl: CVE-2026-3783: token leak with redirect and netrc

Summary When --oauth2-bearer is used with --netrc and curl follows a redirect, the bearer token leaks to the redirect target. The netrc bypass at http.c:822 skips Curlauthallowedtohost, allowing the token through. This is an incomplete fix for CVE-2025-14524 — the Dec 2025 SASL fix patched...