Basic auth header encoding uses unbounded sprintf into fixed 256-byte stack buffer

While auditing wget's HTTP auth path, I found that redacted:auth-header computes the combined username/password length, allocates larger buffers when needed for the base64 output, but still formats '[REDACTED]' into a fixed 256-byte stack buffer with sprintf(). If user or password are long enough, this overflows t1 before base64 encoding even begins.