CVE-2026-3783: token leak with redirect and netrc

##Summary When --oauth2-bearer is used with --netrc and curl follows a redirect, the bearer token leaks to the redirect target. The netrc bypass at http.c:822 skips Curl_auth_allowed_to_host(), allowing the token through. This is an incomplete fix for CVE-2025-14524 — the Dec 2025 SASL fix patched curl_sasl.c but missed the HTTP bearer path.

This is an incomplete fix for the same vulnerability class as CVE-2025-14524. The Dec 2025 SASL bearer fix (commit 1a822275d3, PR #19933) patched lib/curl_sasl.c but left the HTTP bearer path at lib/http.c:704-714 unprotected.

Version

curl 8.10.1 (confirmed), also present in current master d9c2c64337. All versions supporting --oauth2-bearer with --netrc are affected.

The netrc bypass (lib/http.c:820-827):