This adds some workarounds for old style auth headers in URL auth.
The old code did not check buffer lengths. Buffer overflow seems
possible.

This also adds a new handling that replaces the old one and has a
much cleaner interface. This should be used for future software.