fix: properly handle IPv6 addresses in HTTP Host headers

This commit fixes IPv6 address handling in HTTP client Host headers
by adding bracket notation when required and improving URL parsing
validation.

Changes:
- Add automatic bracket wrapping for unbracketed IPv6 addresses in
  Host headers for both standard and non-standard ports
- Add IPv6 bracketing for HTTPS default port (443) to ensure RFC
  compliance even when port is omitted (e.g., Host: [::1])
- Fix off-by-one error in IPv6 bracket stripping (was removing one
  extra character)
- Fix incorrect length calculation in flb_utils_copy_host_sds for
  bracketed IPv6 extraction (changed from absolute position to
  relative length to properly account for pos_init offset)
- Strip IPv6 zone IDs (e.g., %eth0) from Host headers per RFC 3986
  which prohibits zone IDs in URIs (e.g., fe80::1%eth0 becomes
  [fe80::1]:8080 in Host header)
- Perform zone ID stripping before inet_pton() validation to ensure
  proper IPv6 address detection for link-local addresses
- Add URI path prepending for URLs with query/fragment but no path
  (e.g., http://example.com?query=1 becomes /?query=1) per RFC 7230
- Constrain IPv6 bracket validation to host portion only, preventing
  false negatives when brackets appear in URL paths or query strings
- Update validate_ipv6_brackets() to recognize '?' and '#' as host
  delimiters in addition to '/'
- Refactor URL parsing logic to eliminate duplication
- Use memchr with length limit for consistent and safe bracket
  detection in both IPv6 and non-IPv6 cases
- Improve error handling in URL parsing with proper cleanup on failure
- Update TLS flag checking to use flb_stream_get_flag_status() for
  more reliable detection

Tests:
- Add test for IPv6 with HTTPS on default port 443
- Add test cases for IPv6 addresses with zone IDs (verifying zone ID
  stripping behavior)
- Add test cases for brackets in URL paths and query strings
- Add test cases for malformed bracket scenarios

Signed-off-by: Shelby Hagman <[email protected]>

Author: ShelbyZ

src/flb_http_client.c

@@ -33,7 +33,13 @@
 #define _GNU_SOURCE
 #include <string.h>
 
+#ifdef FLB_SYSTEM_WINDOWS
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif
+
 #include <fluent-bit/flb_info.h>
+#include <fluent-bit/flb_compat.h>
 #include <fluent-bit/flb_kv.h>
 #include <fluent-bit/flb_log.h>
 #include <fluent-bit/flb_mem.h>
@@ -617,11 +623,55 @@ static int add_host_and_content_length(struct flb_http_client *c)
         out_port = c->port;
     }
 
-    if (c->flags & FLB_IO_TLS && out_port == 443) {
-        tmp = flb_sds_copy(host, out_host, strlen(out_host));
+    /* Check if out_host is an unbracketed IPv6 address */
+    struct in6_addr addr;
+    char *zone_id;
+    char addr_buf[INET6_ADDRSTRLEN];
+    int is_ipv6 = 0;
+    int is_https_default_port;
+    const char *host_for_header;
+
+    if (out_host && out_host[0] != '[') {
+        /* Strip zone ID if present (e.g., fe80::1%eth0 -> fe80::1) */
+        zone_id = strchr(out_host, '%');
+        if (zone_id) {
+            len = zone_id - out_host;
+            if (len < INET6_ADDRSTRLEN) {
+                memcpy(addr_buf, out_host, len);
+                addr_buf[len] = '\0';
+                is_ipv6 = (inet_pton(AF_INET6, addr_buf, &addr) == 1);
+            }
+        }
+        else {
+            is_ipv6 = (inet_pton(AF_INET6, out_host, &addr) == 1);
+        }
+    }
+
+    /* Use stripped address (without zone ID) for Host header if zone ID was present */
+    host_for_header = (is_ipv6 && zone_id) ? addr_buf : out_host;
+
+    /* Check if connection uses TLS and port is 443 (HTTPS default) */
+    is_https_default_port = flb_stream_get_flag_status(&u->base, FLB_IO_TLS) && out_port == 443;
+
+    if (is_https_default_port) {
+        if (is_ipv6) {
+            /* IPv6 address needs brackets for RFC compliance */
+            tmp = flb_sds_printf(&host, "[%s]", host_for_header);
+        }
+        else {
+            /* HTTPS on default port 443 - omit port from Host header */
+            tmp = flb_sds_copy(host, out_host, strlen(out_host));
+        }
     }
     else {
-        tmp = flb_sds_printf(&host, "%s:%i", out_host, out_port);
+        if (is_ipv6) {
+            /* IPv6 address needs brackets when combined with port */
+            tmp = flb_sds_printf(&host, "[%s]:%i", host_for_header, out_port);
+        }
+        else {
+            /* IPv4 address, domain name, or already bracketed IPv6 */
+            tmp = flb_sds_printf(&host, "%s:%i", out_host, out_port);
+        }
     }
 
     if (!tmp) {

src/flb_network.c

@@ -30,6 +30,7 @@
 #ifdef FLB_SYSTEM_WINDOWS
 #define poll WSAPoll
 #include <winsock2.h>
+#include <ws2tcpip.h>
 #else
 #include <sys/poll.h>
 #endif

src/flb_utils.c

@@ -1431,13 +1431,103 @@ static char *flb_utils_copy_host_sds(const char *string, int pos_init, int pos_e
         if (string[pos_end-1] != ']') {
             return NULL;
         }
-        return flb_sds_create_len(string + pos_init + 1, pos_end - 1);
+        return flb_sds_create_len(string + pos_init + 1, pos_end - pos_init - 2);
     }
     else {
-        return flb_sds_create_len(string + pos_init, pos_end);
+        return flb_sds_create_len(string + pos_init, pos_end - pos_init);
     }
 }
 
+/* Validate IPv6 bracket syntax in URL host part */
+static int validate_ipv6_brackets(const char *p, const char **out_bracket)
+{
+    const char *host_end;
+    const char *bracket = NULL;
+    const char *closing;
+    const char *query_or_fragment;
+
+    /* Only inspect the host portion (up to the first '/', '?', or '#') */
+    host_end = strchr(p, '/');
+    query_or_fragment = strpbrk(p, "?#");
+    
+    /* Use the earliest delimiter found */
+    if (query_or_fragment && (!host_end || query_or_fragment < host_end)) {
+        host_end = query_or_fragment;
+    }
+    
+    if (!host_end) {
+        host_end = p + strlen(p);
+    }
+
+    if (p[0] == '[') {
+        closing = memchr(p, ']', host_end - p);
+        if (!closing || closing == p + 1) {
+            /* Missing closing bracket or empty brackets [] */
+            return -1;
+        }
+        bracket = closing;
+    }
+    else {
+        /* Non-bracketed hosts must not contain ']' before the first '/' */
+        closing = memchr(p, ']', host_end - p);
+        if (closing) {
+            return -1;
+        }
+    }
+
+    if (out_bracket) {
+        *out_bracket = bracket;
+    }
+    return 0;
+}
+
+/* Helper to create URI with prepended '/' if it starts with '?' or '#' */
+static char *create_uri_with_slash(const char *uri_part)
+{
+    char *uri;
+    size_t uri_part_len;
+
+    if (!uri_part || *uri_part == '\0') {
+        return flb_strdup("/");
+    }
+
+    /* If URI starts with '?' or '#', prepend '/' */
+    if (*uri_part == '?' || *uri_part == '#') {
+        uri_part_len = strlen(uri_part);
+        /* Allocate space for '/' + uri_part + '\0' */
+        uri = flb_malloc(uri_part_len + 2);
+        if (!uri) {
+            return NULL;
+        }
+        uri[0] = '/';
+        /* +1 to include '\0' */
+        memcpy(uri + 1, uri_part, uri_part_len + 1);
+        return uri;
+    }
+
+    /* URI already starts with '/' or is a normal path */
+    return flb_strdup(uri_part);
+}
+
+/* SDS version: Helper to create URI with prepended '/' if it starts with '?' or '#' */
+static flb_sds_t create_uri_with_slash_sds(const char *uri_part)
+{
+    char *result;
+    flb_sds_t uri;
+
+    /* Use the regular version to create the string */
+    result = create_uri_with_slash(uri_part);
+    if (!result) {
+        return NULL;
+    }
+
+    /* Convert to SDS */
+    uri = flb_sds_create(result);
+    flb_free(result);
+
+    return uri;
+}
+
 int flb_utils_url_split(const char *in_url, char **out_protocol,
                         char **out_host, char **out_port, char **out_uri)
 {
@@ -1448,6 +1538,7 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     char *p;
     char *tmp;
     char *sep;
+    const char *bracket = NULL;
 
     /* Protocol */
     p = strstr(in_url, "://");
@@ -1467,9 +1558,17 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     /* Advance position after protocol */
     p += 3;
 
-    /* Check for first '/' */
+    /* Validate IPv6 brackets */
     sep = strchr(p, '/');
-    tmp = strchr(p, ':');
+    if (validate_ipv6_brackets(p, &bracket) < 0) {
+        flb_errno();
+        goto error;
+    }
+    if (bracket) {
+        tmp = strchr(bracket, ':');
+    } else {
+        tmp = strchr(p, ':');
+    }
 
     /* Validate port separator is found before the first slash */
     if (sep && tmp) {
@@ -1478,36 +1577,53 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
         }
     }
 
+    /* Extract host if port separator was found */
     if (tmp) {
         host = flb_copy_host(p, 0, tmp - p);
         if (!host) {
             flb_errno();
             goto error;
         }
         p = tmp + 1;
+    }
 
-        /* Look for an optional URI */
-        tmp = strchr(p, '/');
+    /* Find URI delimiter (/, ?, or #) */
+    tmp = strpbrk(p, "/?#");
+    
+    if (!host) {
+        /* No port: extract host */
         if (tmp) {
-            port = mk_string_copy_substr(p, 0, tmp - p);
-            uri = flb_strdup(tmp);
+            host = flb_copy_host(p, 0, tmp - p);
         }
         else {
-            port = flb_strdup(p);
-            uri = flb_strdup("/");
+            host = flb_copy_host(p, 0, strlen(p));
+        }
+        if (!host) {
+            flb_errno();
+            goto error;
         }
     }
     else {
-        tmp = strchr(p, '/');
+        /* Port exists: extract port */
         if (tmp) {
-            host = flb_copy_host(p, 0, tmp - p);
-            uri = flb_strdup(tmp);
+            port = mk_string_copy_substr(p, 0, tmp - p);
         }
         else {
-            host = flb_copy_host(p, 0, strlen(p));
-            uri = flb_strdup("/");
+            port = flb_strdup(p);
+        }
+    }
+
+    /* Extract URI */
+    if (tmp) {
+        uri = create_uri_with_slash(tmp);
+        if (!uri) {
+            flb_errno();
+            goto error;
         }
     }
+    else {
+        uri = flb_strdup("/");
+    }
 
     if (!port) {
         if (strcmp(protocol, "http") == 0) {
@@ -1529,6 +1645,15 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     if (protocol) {
         flb_free(protocol);
     }
+    if (host) {
+        flb_free(host);
+    }
+    if (port) {
+        flb_free(port);
+    }
+    if (uri) {
+        flb_free(uri);
+    }
 
     return -1;
 }
@@ -1544,6 +1669,7 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
     char *p = NULL;
     char *tmp = NULL;
     char *sep = NULL;
+    const char *bracket = NULL;
 
     /* Protocol */
     p = strstr(in_url, "://");
@@ -1563,9 +1689,17 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
     /* Advance position after protocol */
     p += 3;
 
-    /* Check for first '/' */
+    /* Validate IPv6 brackets */
     sep = strchr(p, '/');
-    tmp = strchr(p, ':');
+    if (validate_ipv6_brackets(p, &bracket) < 0) {
+        flb_errno();
+        goto error;
+    }
+    if (bracket) {
+        tmp = strchr(bracket, ':');
+    } else {
+        tmp = strchr(p, ':');
+    }
 
     /* Validate port separator is found before the first slash */
     if (sep && tmp) {
@@ -1574,37 +1708,54 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
         }
     }
 
+    /* Extract host if port separator was found */
     if (tmp) {
         host = flb_utils_copy_host_sds(p, 0, tmp - p);
         if (!host) {
             flb_errno();
             goto error;
         }
         p = tmp + 1;
+    }
 
-        /* Look for an optional URI */
-        tmp = strchr(p, '/');
+    /* Find URI delimiter (/, ?, or #) */
+    tmp = strpbrk(p, "/?#");
+    
+    if (!host) {
+        /* No port: extract host */
         if (tmp) {
-            port = flb_sds_create_len(p, tmp - p);
-            uri = flb_sds_create(tmp);
+            host = flb_utils_copy_host_sds(p, 0, tmp - p);
         }
         else {
-            port = flb_sds_create_len(p, strlen(p));
-            uri = flb_sds_create("/");
+            host = flb_utils_copy_host_sds(p, 0, strlen(p));
+        }
+        if (!host) {
+            flb_errno();
+            goto error;
         }
     }
     else {
-        tmp = strchr(p, '/');
+        /* Port exists: extract port */
         if (tmp) {
-            host = flb_utils_copy_host_sds(p, 0, tmp - p);
-            uri = flb_sds_create(tmp);
+            port = flb_sds_create_len(p, tmp - p);
         }
         else {
-            host = flb_utils_copy_host_sds(p, 0, strlen(p));
-            uri = flb_sds_create("/");
+            port = flb_sds_create_len(p, strlen(p));
         }
     }
 
+    /* Extract URI */
+    if (tmp) {
+        uri = create_uri_with_slash_sds(tmp);
+        if (!uri) {
+            flb_errno();
+            goto error;
+        }
+    }
+    else {
+        uri = flb_sds_create("/");
+    }
+
     if (!port) {
         if (strcmp(protocol, "http") == 0) {
             port = flb_sds_create("80");