GHSA-9857-6mw7-fq2m: gix-transport: HTTP credentials leaked to redirected host in curl backend

The curl-based HTTP transport in gix-transport sends user credentials (passwords, tokens) to an attacker-controlled server after an HTTP redirect. When a server responds with a 302 redirect during the initial GET /info/refs, gitoxide records the redirected base URL and rewrites all subsequent requests to point at the redirected host. The Authorization header is still attached because add_basic_auth_if_present() only checks self.url (the original, never-updated URL).

The reqwest backend is not affected. Its custom redirect policy at reqwest/remote.rs lines 60-64 compares prev_url.host_str() to curr_url.host_str() and calls attempt.stop() on cross-domain redirects, so redirected_base_url is never set to a different host.