fix: properly handle IPv6 addresses in HTTP Host headers

This commit fixes IPv6 address handling in HTTP client Host headers
by adding bracket notation when required and improving URL parsing
validation.

Changes:
- Add automatic bracket wrapping for unbracketed IPv6 addresses in
  Host headers for both standard and non-standard ports
- Add IPv6 bracketing for HTTPS default port (443) to ensure RFC
  compliance even when port is omitted (e.g., Host: [::1])
- Fix off-by-one error in IPv6 bracket stripping (was removing one
  extra character)
- Fix incorrect length calculation in flb_utils_copy_host_sds for
  bracketed IPv6 extraction (changed from absolute position to
  relative length to properly account for pos_init offset)
- Constrain IPv6 bracket validation to host portion only, preventing
  false negatives when brackets appear in URL paths or query strings
- Use memchr with length limit for consistent and safe bracket
  detection in both IPv6 and non-IPv6 cases
- Improve error handling in URL parsing with proper cleanup on failure
- Update TLS flag checking to use flb_stream_get_flag_status() for
  more reliable detection

Tests:
- Add test for IPv6 with HTTPS on default port 443
- Add test cases for brackets in URL paths and query strings
- Add test cases for malformed bracket scenarios

Signed-off-by: Shelby Hagman <shelbyzh@amazon.com>

Author: ShelbyZ

src/flb_http_client.c

@@ -33,7 +33,13 @@
 #define _GNU_SOURCE
 #include <string.h>
 
+#ifdef FLB_SYSTEM_WINDOWS
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif
+
 #include <fluent-bit/flb_info.h>
+#include <fluent-bit/flb_compat.h>
 #include <fluent-bit/flb_kv.h>
 #include <fluent-bit/flb_log.h>
 #include <fluent-bit/flb_mem.h>
@@ -617,11 +623,32 @@ static int add_host_and_content_length(struct flb_http_client *c)
         out_port = c->port;
     }
 
-    if (c->flags & FLB_IO_TLS && out_port == 443) {
-        tmp = flb_sds_copy(host, out_host, strlen(out_host));
+    /* Check if connection uses TLS and port is 443 (HTTPS default) */
+    if (flb_stream_get_flag_status(&u->base, FLB_IO_TLS) && out_port == 443) {
+        struct in6_addr addr;
+
+        /* Check if out_host is an unbracketed IPv6 address */
+        if (out_host && out_host[0] != '[' && inet_pton(AF_INET6, out_host, &addr) == 1) {
+            /* IPv6 address needs brackets for RFC compliance */
+            tmp = flb_sds_printf(&host, "[%s]", out_host);
+        }
+        else {
+            /* HTTPS on default port 443 - omit port from Host header */
+            tmp = flb_sds_copy(host, out_host, strlen(out_host));
+        }
     }
     else {
-        tmp = flb_sds_printf(&host, "%s:%i", out_host, out_port);
+        struct in6_addr addr;
+
+        /* Check if out_host is an unbracketed IPv6 address */
+        if (out_host && out_host[0] != '[' && inet_pton(AF_INET6, out_host, &addr) == 1) {
+            /* IPv6 address needs brackets when combined with port */
+            tmp = flb_sds_printf(&host, "[%s]:%i", out_host, out_port);
+        }
+        else {
+            /* IPv4 address, domain name, or already bracketed IPv6 */
+            tmp = flb_sds_printf(&host, "%s:%i", out_host, out_port);
+        }
     }
 
     if (!tmp) {

src/flb_network.c

@@ -30,6 +30,7 @@
 #ifdef FLB_SYSTEM_WINDOWS
 #define poll WSAPoll
 #include <winsock2.h>
+#include <ws2tcpip.h>
 #else
 #include <sys/poll.h>
 #endif

src/flb_utils.c

@@ -1431,13 +1431,48 @@ static char *flb_utils_copy_host_sds(const char *string, int pos_init, int pos_e
         if (string[pos_end-1] != ']') {
             return NULL;
         }
-        return flb_sds_create_len(string + pos_init + 1, pos_end - 1);
+        return flb_sds_create_len(string + pos_init + 1, pos_end - pos_init - 2);
     }
     else {
-        return flb_sds_create_len(string + pos_init, pos_end);
+        return flb_sds_create_len(string + pos_init, pos_end - pos_init);
     }
 }
 
+/* Validate IPv6 bracket syntax in URL host part */
+static int validate_ipv6_brackets(const char *p, char **out_bracket)
+{
+    const char *host_end;
+    char       *bracket = NULL;
+    char       *closing;
+
+    /* Only inspect the host portion (up to the first '/') */
+    host_end = strchr(p, '/');
+    if (!host_end) {
+        host_end = p + strlen(p);
+    }
+
+    if (p[0] == '[') {
+        closing = memchr(p, ']', host_end - p);
+        if (!closing || closing == p + 1) {
+            /* Missing closing bracket or empty brackets [] */
+            return -1;
+        }
+        bracket = closing;
+    }
+    else {
+        /* Non-bracketed hosts must not contain ']' before the first '/' */
+        closing = memchr(p, ']', host_end - p);
+        if (closing) {
+            return -1;
+        }
+    }
+
+    if (out_bracket) {
+        *out_bracket = bracket;
+    }
+    return 0;
+}
+
 int flb_utils_url_split(const char *in_url, char **out_protocol,
                         char **out_host, char **out_port, char **out_uri)
 {
@@ -1448,6 +1483,7 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     char *p;
     char *tmp;
     char *sep;
+    char *bracket = NULL;
 
     /* Protocol */
     p = strstr(in_url, "://");
@@ -1467,9 +1503,17 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     /* Advance position after protocol */
     p += 3;
 
-    /* Check for first '/' */
+    /* Validate IPv6 brackets */
     sep = strchr(p, '/');
-    tmp = strchr(p, ':');
+    if (validate_ipv6_brackets(p, &bracket) < 0) {
+        flb_errno();
+        goto error;
+    }
+    if (bracket) {
+        tmp = strchr(bracket, ':');
+    } else {
+        tmp = strchr(p, ':');
+    }
 
     /* Validate port separator is found before the first slash */
     if (sep && tmp) {
@@ -1501,10 +1545,18 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
         tmp = strchr(p, '/');
         if (tmp) {
             host = flb_copy_host(p, 0, tmp - p);
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_strdup(tmp);
         }
         else {
             host = flb_copy_host(p, 0, strlen(p));
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_strdup("/");
         }
     }
@@ -1529,6 +1581,15 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     if (protocol) {
         flb_free(protocol);
     }
+    if (host) {
+        flb_free(host);
+    }
+    if (port) {
+        flb_free(port);
+    }
+    if (uri) {
+        flb_free(uri);
+    }
 
     return -1;
 }
@@ -1544,6 +1605,7 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
     char *p = NULL;
     char *tmp = NULL;
     char *sep = NULL;
+    char *bracket = NULL;
 
     /* Protocol */
     p = strstr(in_url, "://");
@@ -1563,9 +1625,17 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
     /* Advance position after protocol */
     p += 3;
 
-    /* Check for first '/' */
+    /* Validate IPv6 brackets */
     sep = strchr(p, '/');
-    tmp = strchr(p, ':');
+    if (validate_ipv6_brackets(p, &bracket) < 0) {
+        flb_errno();
+        goto error;
+    }
+    if (bracket) {
+        tmp = strchr(bracket, ':');
+    } else {
+        tmp = strchr(p, ':');
+    }
 
     /* Validate port separator is found before the first slash */
     if (sep && tmp) {
@@ -1597,10 +1667,18 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
         tmp = strchr(p, '/');
         if (tmp) {
             host = flb_utils_copy_host_sds(p, 0, tmp - p);
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_sds_create(tmp);
         }
         else {
             host = flb_utils_copy_host_sds(p, 0, strlen(p));
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_sds_create("/");
         }
     }