CVE-2023-46218 — curl cookie mixed-case PSL bypass in Curl_cookie_add

CVE-2023-46218 in curl ≤ 8.4.0: a malicious HTTP server can set 'super-cookies' that are sent across many unrelated origins by exploiting a mixed-case bypass of the Public Suffix List check. In lib/cookie.c, Curl_cookie_add() copies the Set-Cookie 'domain=' attribute verbatim into co->domain via strstore() (no case folding). When USE_LIBPSL is defined, psl_is_cookie_domain_acceptable(psl, domain, co->domain) is invoked with the raw mixed-case string. PSL entries are stored lowercased, and the underlying comparison can be case-sensitive, so 'CO.UK' (or any mixed case form) is not recognized as a public suffix. The cookie is then accepted with a TLD/eTLD scope. On subsequent requests, Curl_cookie_getlist + cookie_tailmatch use case-insensitive matching (strncasecompare), so the super-cookie is sent to every host under that suffix. Curl_cookie_getlist also performs no PSL re-check, so cookies loaded from a tampered cookie jar are never revalidated.