CVE-2023-46218

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

Esta falla permite que un servidor HTTP malicioso establezca "supercookies" en curl que luego se devuelven a más orígenes de los que están permitidos o son posibles. Esto permite que un sitio establezca cookies que luego se enviarán a sitios y dominios diferentes y no relacionados. Podría hacer esto explotando una falla de mayúsculas y minúsculas en la función de curl que verifica un dominio de cookie determinado con Public Suffix List (PSL). Por ejemplo, una cookie podría configurarse con `domain=co.UK` cuando la URL utilizaba un nombre de host en minúscula `curl.co.uk`, aunque `co.uk` aparezca como un dominio PSL.