- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear

the auth credentials back in 7.19.0 and earlier while now you have to set ""
  to get the same effect. His patch brings back the ability to use NULL.

CHANGES

@@ -13,6 +13,10 @@ Daniel Stenberg (27 May 2009)
 - Andre Guibert de Bruet found a call to a OpenSSL function that didn't check
   for a failure properly.
 
+- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear
+  the auth credentials back in 7.19.0 and earlier while now you have to set ""
+  to get the same effect. His patch brings back the ability to use NULL.
+
 Daniel Stenberg (25 May 2009)
 - bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed
   out that the cookie parser would leak memory when it parses cookies that are

RELEASE-NOTES

@@ -16,6 +16,7 @@ This release includes the following bugfixes:
  o crash on bad socket close with FTP
  o leaking cookie memory when duplicate domains or paths were used
  o build fix for Symbian
+ o CURLOPT_USERPWD set to NULL clears auth credentials
 
 This release includes the following known bugs:
 
@@ -24,6 +25,7 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
- Kamil Dudka, Caolan McNamara, Frank McGeough, Andre Guibert de Bruet
+ Kamil Dudka, Caolan McNamara, Frank McGeough, Andre Guibert de Bruet,
+ Mike Crowe
 
         Thanks! (and sorry if I forgot to mention someone)

lib/url.c

@@ -275,8 +275,14 @@ static CURLcode setstropt_userpwd(char *option, char **user_storage,
   char* separator;
   CURLcode result = CURLE_OK;
 
-  if(!option)
-    return result;
+  if(!option) {
+    /* we treat a NULL passed in as a hint to clear existing info */
+    Curl_safefree(*user_storage);
+    *user_storage = (char *) NULL;
+    Curl_safefree(*pwd_storage);
+    *pwd_storage = (char *) NULL;
+    return CURLE_OK;
+  }
 
   separator = strchr(option, ':');
   if (separator != NULL) {