While implementing cookies for Mget (https://github.com/rockdaboot/mget) conforming to RFC 6265, I stubled over http://publicsuffix.org/ (Mozilla Public Suffix List).
Looking at Wget sources discovers, that there is just a very incomplete check for public suffixes. That implies a very severe vulnerability to "supercookie" attacks when cookies are switched on (they are by default). Since Mget was ment as a Wget2 candidate (all or parts of the sources), please feel free to copy the needed sourcecode from it (see cookie.c/cookie.h and tests/test.c for test routines). Right now, I just don't have the time to do the work, but of course I will answer your questions. ShouldN't there be a warning within the docs / man pages. What do you think ? Regards, Tim
