has_known_suffix always return true

[Diggsey]

This is a security vulnerability, as programs may rely on this to screen out local domains, eg. "example.svc.local".

I understand that the algorithm described on https://publicsuffix.org/list/ specifies that:

If no rules match, the prevailing rule is "*".

However, this is for a specific use-case: when determining what part of the domain is the public suffix. Using this rule when determining whether the suffix is "known" is a huge security hole, as it essentially treats all domains as "known".

Specifically the "type" should be None, if the wildcard rule is used as a fallback.

[bradfier]

#31 contains a possible minimal fix for this behaviour.

[rushmorem]

Fixed by #31