use snprintf() to be on the safe side

lib/http.c

@@ -144,7 +144,7 @@ static CURLcode Curl_output_basic(struct connectdata *conn, bool proxy)
     pwd = conn->passwd;
   }
 
-  sprintf(data->state.buffer, "%s:%s", user, pwd);
+  snprintf(data->state.buffer, sizeof(data->state.buffer), "%s:%s", user, pwd);
   if(Curl_base64_encode(data->state.buffer,
                         strlen(data->state.buffer),
                         &authorization) > 0) {