The HTTP authentication fix pushed in 1.9.1 was only partially correct: while it fixes the [auth] matching logic, it did not really fix an issue with URL user/password handling.