CVE-2023-46218 curl cookie mixed-case PSL bypass in Curl_cookie_add
1d89073c-a015-403d-a354-3713ebefeaa8
curl 8.4.0 and earlier have a 'cookie mixed case PSL bypass' (CVE-2023-46218). In lib/cookie.c, Curl_cookie_add() guards against setting cookies whose Domain attribute is a Public Suffix by calling psl_is_cookie_domain_acceptable(psl, domain, co->domain). Both arguments are forwarded raw, but libpsl's matching is case-sensitive against its lowercase PSL data. A malicious server can therefore send Set-Cookie: pwn=1; Domain=co.UK and curl will accept and store the super-cookie because the PSL test never sees the canonical 'co.uk'. Once stored, the cookie gets sent (via case-insensitive cookie_tailmatch) to every host on .co.uk, allowing cross-site cookie injection / leakage.
acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); — neither domain (default host from URL) nor co->domain (parsed Set-Cookie Domain= value, after the leading-dot strip at lines 677-680) is lowercased. Cross-referenced with the upstream fix commit 2b0994c29a721c91c572cff7808c572a24d251eb which inserts Curl_strntolower calls into stack buffers lcase[256] / lcookie[256] before the PSL call. The repo also ships cve_2023_46218_poc.c which mis-attributes the bug to Curl_cookie_getlist; the actual CVE is the mixed-case PSL bypass in Curl_cookie_add.
domain and co->domain into stack buffers before invoking psl_is_cookie_domain_acceptable. Use Curl_strntolower(lcase, domain, dlen+1) and Curl_strntolower(lcookie, co->domain, clen+1) and pass the normalized buffers to PSL. This restores the intended PSL semantics regardless of the case attackers use in the Domain= attribute.
Set-Cookie: name=v; Domain=co.UK) is now rejected because libpsl, given 'co.uk', returns acceptable=FALSE and the cookie is dropped via freecookie(co).