Solutionunvalidated
Use Curl_strntolower(lcase, domain, dlen+1) and Curl_strntolower(lcookie, co->domain, clen+1) — Patch lib/cookie.c around lines 1031-1048. Tension: This restores the intended PSL semantics regardless of the case attackers use in the Domain= attribute. Outcome: pass the normalized buffers to PSL.
0f9e635c-b935-4925-b12e-6a31253cf419
Use Curl_strntolower(lcase, domain, dlen+1) and Curl_strntolower(lcookie, co->domain, clen+1) — Patch lib/cookie.c around lines 1031-1048. Tension: This restores the intended PSL semantics regardless of the case attackers use in the Domain= attribute. Outcome: pass the normalized buffers to PSL.