From a15cfeb10057f2462ab2276c7d28aeb8baff9b8e Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 14 May 2026 23:46:45 +0200
Subject: [PATCH] cookie: compare path case sensitively

Verify with test 1645

Reported-by: Joshua Rogers
Closes #21616
---
 lib/cookie.c           |  4 +--
 tests/data/Makefile.am |  2 +-
 tests/data/test1645    | 73 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+), 3 deletions(-)
 create mode 100644 tests/data/test1645

diff --git a/lib/cookie.c b/lib/cookie.c
index 13732d9274..7ecef3a666 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -854,7 +854,7 @@ static bool replace_existing(struct Curl_easy *data,
         else
           cllen = strlen(clist->path);
 
-        if(curl_strnequal(clist->path, co->path, cllen)) {
+        if(!strncmp(clist->path, co->path, cllen)) {
           infof(data, "cookie '%s' for domain '%s' dropped, would "
                 "overlay an existing cookie", co->name, co->domain);
           return FALSE;
@@ -878,7 +878,7 @@ static bool replace_existing(struct Curl_easy *data,
         /* the domains were identical */
 
         if(clist->path && co->path &&
-           !curl_strequal(clist->path, co->path))
+           strcmp(clist->path, co->path))
           replace_old = FALSE;
         else if(!clist->path != !co->path)
           replace_old = FALSE;
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index 7216d0a7c9..ec9620b9cd 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -217,7 +217,7 @@ test1620 test1621 test1622 test1623 test1624 test1625 test1626 test1627 \
 test1628 \
 \
 test1630 test1631 test1632 test1633 test1634 test1635 test1636 test1637 \
-test1638 test1639 test1640 test1641 test1642 test1643 test1644 \
+test1638 test1639 test1640 test1641 test1642 test1643 test1644 test1645 \
 \
 test1650 test1651 test1652 test1653 test1654 test1655 test1656 test1657 \
 test1658 test1659 test1660 test1661 test1662 test1663 test1664 test1665 \
diff --git a/tests/data/test1645 b/tests/data/test1645
new file mode 100644
index 0000000000..bdb0e24792
--- /dev/null
+++ b/tests/data/test1645
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+cookies
+cookiejar
+</keywords>
+</info>
+# Server-side
+
+<reply>
+<data crlf="headers">
+HTTP/1.1 200 OK
+Content-Length: 4
+Content-Type: text/html
+Funny-head: yesyes
+Set-Cookie: name=value; domain=test.curl; path=/we/want
+
+boo
+</data>
+<data2 crlf="headers">
+HTTP/1.1 200 OK
+Content-Length: 4
+Content-Type: text/html
+Funny-head: yesyes
+Set-Cookie: name=value; domain=test.curl; path=/WE/WANT
+
+boo
+</data2>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+cookies for paths using different case
+</name>
+<command>
+http://test.curl:%HTTPPORT/we/want/ http://test.curl:%HTTPPORT/WE/WANT/%TESTNUMBER0002 -c %LOGDIR/jar%TESTNUMBER.txt --resolve test.curl:%HTTPPORT:%HOSTIP
+</command>
+<features>
+cookies
+</features>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="headers">
+GET /we/want/ HTTP/1.1
+Host: test.curl:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+GET /WE/WANT/%TESTNUMBER0002 HTTP/1.1
+Host: test.curl:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<file name="%LOGDIR/jar%TESTNUMBER.txt" mode="text">
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+.test.curl	TRUE	/WE/WANT	FALSE	0	name	value
+.test.curl	TRUE	/we/want	FALSE	0	name	value
+</file>
+</verify>
+</testcase>