fix: properly handle IPv6 addresses in HTTP Host headers

This commit fixes IPv6 address handling in HTTP client Host headers
by adding bracket notation when required and improving URL parsing
validation.

- Add automatic bracket wrapping for unbracketed IPv6 addresses in
  Host headers when combined with port numbers
- Fix off-by-one error in IPv6 bracket stripping (was removing one
  extra character)
- Fix incorrect length calculation in flb_utils_copy_host_sds for
  bracketed IPv6 extraction (changed from absolute position to
  relative length to properly account for pos_init offset)
- Add IPv6 bracket validation to detect malformed URLs with missing
  or mismatched brackets
- Improve error handling in URL parsing with proper cleanup on failure
- Update TLS flag checking to use flb_stream_get_flag_status() for
  more reliable detection

Signed-off-by: Shelby Hagman <shelbyzh@amazon.com>

Author: ShelbyZ

src/flb_http_client.c

@@ -33,7 +33,13 @@
 #define _GNU_SOURCE
 #include <string.h>
 
+#ifdef FLB_SYSTEM_WINDOWS
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif
+
 #include <fluent-bit/flb_info.h>
+#include <fluent-bit/flb_compat.h>
 #include <fluent-bit/flb_kv.h>
 #include <fluent-bit/flb_log.h>
 #include <fluent-bit/flb_mem.h>
@@ -617,11 +623,23 @@ static int add_host_and_content_length(struct flb_http_client *c)
         out_port = c->port;
     }
 
-    if (c->flags & FLB_IO_TLS && out_port == 443) {
+    /* Check if connection uses TLS and port is 443 (HTTPS default) */
+    if (flb_stream_get_flag_status(&u->base, FLB_IO_TLS) && out_port == 443) {
+        /* HTTPS on default port 443 - omit port from Host header */
         tmp = flb_sds_copy(host, out_host, strlen(out_host));
     }
     else {
-        tmp = flb_sds_printf(&host, "%s:%i", out_host, out_port);
+        struct in6_addr addr;
+
+        /* Check if out_host is an unbracketed IPv6 address */
+        if (out_host && out_host[0] != '[' && inet_pton(AF_INET6, out_host, &addr) == 1) {
+            /* IPv6 address needs brackets when combined with port */
+            tmp = flb_sds_printf(&host, "[%s]:%i", out_host, out_port);
+        }
+        else {
+            /* IPv4 address, domain name, or already bracketed IPv6 */
+            tmp = flb_sds_printf(&host, "%s:%i", out_host, out_port);
+        }
     }
 
     if (!tmp) {

src/flb_network.c

@@ -30,6 +30,7 @@
 #ifdef FLB_SYSTEM_WINDOWS
 #define poll WSAPoll
 #include <winsock2.h>
+#include <ws2tcpip.h>
 #else
 #include <sys/poll.h>
 #endif

src/flb_utils.c

@@ -1431,13 +1431,36 @@ static char *flb_utils_copy_host_sds(const char *string, int pos_init, int pos_e
         if (string[pos_end-1] != ']') {
             return NULL;
         }
-        return flb_sds_create_len(string + pos_init + 1, pos_end - 1);
+        return flb_sds_create_len(string + pos_init + 1, pos_end - pos_init - 2);
     }
     else {
-        return flb_sds_create_len(string + pos_init, pos_end);
+        return flb_sds_create_len(string + pos_init, pos_end - pos_init);
     }
 }
 
+/* Validate IPv6 bracket syntax in URL host part */
+static int validate_ipv6_brackets(const char *p, char **out_bracket)
+{
+    char *bracket = NULL;
+
+    if (p[0] == '[') {
+        bracket = strchr(p, ']');
+        if (!bracket || bracket == p + 1) {
+            /* Missing closing bracket or empty brackets [] */
+            return -1;
+        }
+    }
+    else if (strchr(p, ']')) {
+        /* Has closing bracket but no opening bracket */
+        return -1;
+    }
+
+    if (out_bracket) {
+        *out_bracket = bracket;
+    }
+    return 0;
+}
+
 int flb_utils_url_split(const char *in_url, char **out_protocol,
                         char **out_host, char **out_port, char **out_uri)
 {
@@ -1448,6 +1471,7 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     char *p;
     char *tmp;
     char *sep;
+    char *bracket = NULL;
 
     /* Protocol */
     p = strstr(in_url, "://");
@@ -1467,9 +1491,17 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     /* Advance position after protocol */
     p += 3;
 
-    /* Check for first '/' */
+    /* Validate IPv6 brackets */
     sep = strchr(p, '/');
-    tmp = strchr(p, ':');
+    if (validate_ipv6_brackets(p, &bracket) < 0) {
+        flb_errno();
+        goto error;
+    }
+    if (bracket) {
+        tmp = strchr(bracket, ':');
+    } else {
+        tmp = strchr(p, ':');
+    }
 
     /* Validate port separator is found before the first slash */
     if (sep && tmp) {
@@ -1501,10 +1533,18 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
         tmp = strchr(p, '/');
         if (tmp) {
             host = flb_copy_host(p, 0, tmp - p);
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_strdup(tmp);
         }
         else {
             host = flb_copy_host(p, 0, strlen(p));
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_strdup("/");
         }
     }
@@ -1529,6 +1569,15 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     if (protocol) {
         flb_free(protocol);
     }
+    if (host) {
+        flb_free(host);
+    }
+    if (port) {
+        flb_free(port);
+    }
+    if (uri) {
+        flb_free(uri);
+    }
 
     return -1;
 }
@@ -1544,6 +1593,7 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
     char *p = NULL;
     char *tmp = NULL;
     char *sep = NULL;
+    char *bracket = NULL;
 
     /* Protocol */
     p = strstr(in_url, "://");
@@ -1563,9 +1613,17 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
     /* Advance position after protocol */
     p += 3;
 
-    /* Check for first '/' */
+    /* Validate IPv6 brackets */
     sep = strchr(p, '/');
-    tmp = strchr(p, ':');
+    if (validate_ipv6_brackets(p, &bracket) < 0) {
+        flb_errno();
+        goto error;
+    }
+    if (bracket) {
+        tmp = strchr(bracket, ':');
+    } else {
+        tmp = strchr(p, ':');
+    }
 
     /* Validate port separator is found before the first slash */
     if (sep && tmp) {
@@ -1597,10 +1655,18 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
         tmp = strchr(p, '/');
         if (tmp) {
             host = flb_utils_copy_host_sds(p, 0, tmp - p);
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_sds_create(tmp);
         }
         else {
             host = flb_utils_copy_host_sds(p, 0, strlen(p));
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_sds_create("/");
         }
     }