fluent · ShelbyZ · Sep 18, 2025
@@ -33,7 +33,13 @@
 #define _GNU_SOURCE
 #include <string.h>
 
+#ifdef FLB_SYSTEM_WINDOWS
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif
+
 #include <fluent-bit/flb_info.h>
+#include <fluent-bit/flb_compat.h>
 #include <fluent-bit/flb_kv.h>
 #include <fluent-bit/flb_log.h>
 #include <fluent-bit/flb_mem.h>
@@ -617,11 +623,32 @@ static int add_host_and_content_length(struct flb_http_client *c)
         out_port = c->port;
     }
 
-    if (c->flags & FLB_IO_TLS && out_port == 443) {
-        tmp = flb_sds_copy(host, out_host, strlen(out_host));
+    /* Check if connection uses TLS and port is 443 (HTTPS default) */
+    if (flb_stream_get_flag_status(&u->base, FLB_IO_TLS) && out_port == 443) {
+        struct in6_addr addr;
+
+        /* Check if out_host is an unbracketed IPv6 address */
+        if (out_host && out_host[0] != '[' && inet_pton(AF_INET6, out_host, &addr) == 1) {
+            /* IPv6 address needs brackets for RFC compliance */
+            tmp = flb_sds_printf(&host, "[%s]", out_host);
+        }
+        else {
+            /* HTTPS on default port 443 - omit port from Host header */
+            tmp = flb_sds_copy(host, out_host, strlen(out_host));
+        }
     }
     else {
-        tmp = flb_sds_printf(&host, "%s:%i", out_host, out_port);
+        struct in6_addr addr;
+
+        /* Check if out_host is an unbracketed IPv6 address */
+        if (out_host && out_host[0] != '[' && inet_pton(AF_INET6, out_host, &addr) == 1) {
+            /* IPv6 address needs brackets when combined with port */
+            tmp = flb_sds_printf(&host, "[%s]:%i", out_host, out_port);
+        }
+        else {
+            /* IPv4 address, domain name, or already bracketed IPv6 */
+            tmp = flb_sds_printf(&host, "%s:%i", out_host, out_port);
+        }
     }
 
     if (!tmp) {

@@ -30,6 +30,7 @@
 #ifdef FLB_SYSTEM_WINDOWS
 #define poll WSAPoll
 #include <winsock2.h>
+#include <ws2tcpip.h>
 #else
 #include <sys/poll.h>
 #endif

@@ -1431,13 +1431,48 @@ static char *flb_utils_copy_host_sds(const char *string, int pos_init, int pos_e
         if (string[pos_end-1] != ']') {
             return NULL;
         }
-        return flb_sds_create_len(string + pos_init + 1, pos_end - 1);
+        return flb_sds_create_len(string + pos_init + 1, pos_end - pos_init - 2);
     }
     else {
-        return flb_sds_create_len(string + pos_init, pos_end);
+        return flb_sds_create_len(string + pos_init, pos_end - pos_init);
     }
 }
 
+/* Validate IPv6 bracket syntax in URL host part */
+static int validate_ipv6_brackets(const char *p, const char **out_bracket)
+{
+    const char *host_end;
+    const char *bracket = NULL;
+    const char *closing;
+
+    /* Only inspect the host portion (up to the first '/') */
+    host_end = strchr(p, '/');
+    if (!host_end) {
+        host_end = p + strlen(p);
+    }
+
+    if (p[0] == '[') {
+        closing = memchr(p, ']', host_end - p);
+        if (!closing || closing == p + 1) {
+            /* Missing closing bracket or empty brackets [] */
+            return -1;
+        }
+        bracket = closing;
+    }
+    else {
+        /* Non-bracketed hosts must not contain ']' before the first '/' */
+        closing = memchr(p, ']', host_end - p);
+        if (closing) {
+            return -1;
+        }
+    }
+
+    if (out_bracket) {
+        *out_bracket = bracket;
+    }
+    return 0;
+}
+
 int flb_utils_url_split(const char *in_url, char **out_protocol,
                         char **out_host, char **out_port, char **out_uri)
 {
@@ -1448,6 +1483,7 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     char *p;
     char *tmp;
     char *sep;
+    const char *bracket = NULL;
 
     /* Protocol */
     p = strstr(in_url, "://");
@@ -1467,9 +1503,17 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     /* Advance position after protocol */
     p += 3;
 
-    /* Check for first '/' */
+    /* Validate IPv6 brackets */
     sep = strchr(p, '/');
-    tmp = strchr(p, ':');
+    if (validate_ipv6_brackets(p, &bracket) < 0) {
+        flb_errno();
+        goto error;
+    }
+    if (bracket) {
+        tmp = strchr(bracket, ':');
+    } else {
+        tmp = strchr(p, ':');
+    }
 
     /* Validate port separator is found before the first slash */
     if (sep && tmp) {
@@ -1501,10 +1545,18 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
         tmp = strchr(p, '/');
         if (tmp) {
             host = flb_copy_host(p, 0, tmp - p);
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_strdup(tmp);
         }
         else {
             host = flb_copy_host(p, 0, strlen(p));
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_strdup("/");
         }
     }
@@ -1529,6 +1581,15 @@ int flb_utils_url_split(const char *in_url, char **out_protocol,
     if (protocol) {
         flb_free(protocol);
     }
+    if (host) {
+        flb_free(host);
+    }
+    if (port) {
+        flb_free(port);
+    }
+    if (uri) {
+        flb_free(uri);
+    }
 
     return -1;
 }
@@ -1544,6 +1605,7 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
     char *p = NULL;
     char *tmp = NULL;
     char *sep = NULL;
+    const char *bracket = NULL;
 
     /* Protocol */
     p = strstr(in_url, "://");
@@ -1563,9 +1625,17 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
     /* Advance position after protocol */
     p += 3;
 
-    /* Check for first '/' */
+    /* Validate IPv6 brackets */
     sep = strchr(p, '/');
-    tmp = strchr(p, ':');
+    if (validate_ipv6_brackets(p, &bracket) < 0) {
+        flb_errno();
+        goto error;
+    }
+    if (bracket) {
+        tmp = strchr(bracket, ':');
+    } else {
+        tmp = strchr(p, ':');
+    }
 
     /* Validate port separator is found before the first slash */
     if (sep && tmp) {
@@ -1597,10 +1667,18 @@ int flb_utils_url_split_sds(const flb_sds_t in_url, flb_sds_t *out_protocol,
         tmp = strchr(p, '/');
         if (tmp) {
             host = flb_utils_copy_host_sds(p, 0, tmp - p);
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_sds_create(tmp);
         }
         else {
             host = flb_utils_copy_host_sds(p, 0, strlen(p));
+            if (!host) {
+                flb_errno();
+                goto error;
+            }
             uri = flb_sds_create("/");
         }
     }