CVE-2023-46218: curl cookie PSL check missing in Curl_cookie_getlist() — asymmetric validation logic-bug

CVE-2023-46218 is a logic-bug in curl's cookie handling (lib/cookie.c, curl 8.4.0 and earlier). Cookie domain matching during retrieval (Curl_cookie_getlist()) lacks Public Suffix List (PSL) validation that exists during insertion (Curl_cookie_add()). This allows cookies to be sent to unintended domains.

Two interacting flaws:

1. Curl_cookie_getlist() (lines 1407-1411) uses only cookie_tailmatch() (basic suffix check) — no PSL check.
2. The PSL check in Curl_cookie_add() (lines 1025-1048) is guarded by if(data && (domain && co->domain ...)) — when cookies are loaded from a Netscape cookie jar file, Curl_cookie_add() is called with domain=NULL, so the PSL check is silently bypassed.

Result: A crafted cookie jar file can inject a cookie with domain=com (a public suffix). When curl later requests ANY .com hostname, cookie_tailmatch("com", 3, "example.com") returns TRUE and the cookie is forwarded — leaking or injecting state across all .com sites.