Hello,

Curl and libcurl seem to be accepting cookies with a single dot in the
domain when the top-level domain is one of the seven special domains named
in the original Netscape cookie spec. In other words, it will accept a
cookie with "domain=com" and pass it along to other .com domains.

It seems that a change in cookie.c to lower the minimum requirement of 3
dots in a cookie to 2 (assuming the leading dot) didn't take into account
that the "dot count" was already being increased by one for cookies under
these top level domains.

I've verified this bug and tested the fix with today's daily build
(20040802), but I didn't add any test case. I've attached a proposed patch
that I built from the 20040802 source.

Of course, I'm submitting this patch without even discussing the bug on the
list, so I might not completely understand the situation. If so, apologies
in advance!

Dylan Salisbury