The user and password information is not URI encoded when the request is made.
The easiest scenario is as follows:
Some SCM management systems allow a username to be a password (GitLab is one, RhodeCode as well if memory serves). It's also possible to have special characters in passwords (enforced in many cases as well).
Create a username with an {{@}} symbol in it and attempt to clone a repository. Git will return an error saying that it's not a valid Git path.
Replace the {{@}} in the username with {{%40}}.
{{
http://user@example.com:
password@gitlabhost.com/path/to/repo.git}} = error
{{
http://user%40example.com:
password@gitlabhost.com/path/to/repo.git}} = success
The affected version is 6.0.4 and reproducible using mercurial.