CVE-2023-46218: curl cookie domain PSL check absent in Curl_cookie_getlist() — asymmetric validation logic bug

curl (version 8.4.0 and earlier) has a logic bug in its cookie engine: Public Suffix List (PSL) validation is applied inconsistently. Curl_cookie_add() contains a PSL check (guarded by #ifdef USE_LIBPSL at line 1025 of lib/cookie.c) that prevents cookies from being stored for public suffixes (e.g. "com", "co.uk"). However, Curl_cookie_getlist() — which decides which cookies to send with each request — performs only a basic case-insensitive tailmatch (cookie_tailmatch) with NO PSL check at lines 1407-1411. This allows cookies with a public-suffix domain to be sent to all matching hosts. Second sub-issue: when cookies are loaded from a Netscape-format cookie file (lib/cookie.c line 1255), Curl_cookie_add() is called with domain=NULL. The PSL guard condition if(data && (domain && co->domain && ...)) evaluates FALSE, bypassing PSL validation entirely. Any cookie file entry with domain='com' and tailmatch=TRUE will then be sent to all .com hosts. CVE ID: CVE-2023-46218.