Another good example of lax URL parsing/parser differentials being problematic.
That being said, I wonder how big the actual impact here is in practice: how many users actually use .netrc? I’ve been using curl and other network tools for well over a decade and I don’t think I’ve ever used .netrc for site credentials.
I think it may be in use by tools without people being aware.
I decided to check my workstation for it just in case, figuring the file would be empty, or not exist.
Instead it seems to be populated with what seem to be Heroku API and git credentials.
Well then go check if you are for some reason using any of the other surprise features [1], like honoring the CURL_CA_BUNDLE env variable, or not honoring the PROXIES env variable if REQUEST_METHOD is set.
That being said, I wonder how big the actual impact here is in practice: how many users actually use .netrc? I’ve been using curl and other network tools for well over a decade and I don’t think I’ve ever used .netrc for site credentials.