netrc crlf injection

## Summary: Curl allows `CR` and `LF` characters to be encoded in `login` and `password` netrc fields. This allows an attacker who can affect contents of the netrc entry to inject FTP commands by injecting CRLF to the `login` or `password`. POP3 is likely affected as well, but hasn't been tested. The only situation in which this could be considered a vulnerability is when someone can choose their username or password freely which will then be injected to a netrc file. This could happen for example if some app constructs the netrc file from user provided input. This likely is considered "Local attackers already present" category issue. However, I leave it to the project to decide. If not deemed a security issue, I'll close the ticket and the issue can fixed outside of the security process as a normal bug. ## Steps To Reproduce: 1. Have netrc file with: ``` machine localhost login alice password "alicespassword\r\nDELE pocfile.txt" ``` 2. `echo -ne "220 \r\n331 \r\n" | nc -v -l -p 9999` 3. `curl -v --netrc-file netrc ftp://localhost:9999` ## Remediation suggestion Do not allow `CR` or `LF` in the username or password when constructing commands for protocols that use these characters as separator (FTP, POP3, others?). ## Impact FTP/POP3 command injection.