CVE-2021-22923: Metalink download sends credentials

## Summary: When compiled `--with-libmetalink` and used with `--metalink` and `--user` curl will use the credentials for any further transfers performed. This includes different hosts and protocols, even ones without transport layer security such as `http` and `ftp`. As a result the credentials only intended for the target site may end up being sent to outside hosts, and without transport layer security, and may be intercepted by attackers in man in the middle network position. For example HTTP redirects will not leak the credentials to other hosts unless if `--location-trusted` is used, thus this is unexpected and insecure behaviour. ## Steps To Reproduce: 1. Configure libcurl `--with-libmetalink` and build libcurl 2. Have metalinktest.xml with `<url>` referencing data on different host than testsite and using `http` protocol 3. Execute: `curl --metalink --user professor:Joshua https://testsite/metalinktest.xml` The credentials can be seen by the target host and anyone in man in the middle position: `Authorization: Basic cHJvZmVzc29yOkpvc2h1YQ==` ## Remarks CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) might be a more accurate CWE. ## Fix - Perhaps `--location-trusted` should be extended to apply to `--metalink` as well ## Impact Leak of credentials to unauthorized parties§