Plaintext credential is exposed in CommandError if Authorization is passed in http.extraHeader

[gabloe]

If credentials are passed in the URI, e.g. https://user:[email protected]/bar.git then the credential is properly removed from the cmdline in the exception, but if an authorization header is set via http.extraHeader then the credential is not stripped from the exception.

[Byron]

I acknowledge this issue tentatively as the issue is related to security, but wish there would be steps that help to reproduce it as well.

A potential fix could use that to setup a test for reproduction, along with the fix.