Reject bad ipv6 hostnames

Author: erikdubbelboer

uri.go

@@ -445,13 +445,20 @@ func parseHost(host []byte) ([]byte, error) {
 			}
 			return append(host1, append(host2, host3...)...), nil
 		}
-	} else if i := bytes.LastIndexByte(host, ':'); i != -1 {
-		if bytes.IndexByte(host[:i], ':') != -1 {
-			return nil, fmt.Errorf("invalid host %q with multiple port delimiters", host)
+	} else {
+		if bytes.IndexByte(host, '[') != -1 || bytes.IndexByte(host, ']') != -1 {
+			return nil, fmt.Errorf("invalid host %q", host)
 		}
-		colonPort := host[i:]
-		if !validOptionalPort(colonPort) {
-			return nil, fmt.Errorf("invalid port %q after host", colonPort)
+
+		if i := bytes.LastIndexByte(host, ':'); i != -1 {
+			if bytes.IndexByte(host[:i], ':') != -1 {
+				return nil, fmt.Errorf("invalid host %q with multiple port delimiters", host)
+			}
+
+			colonPort := host[i:]
+			if !validOptionalPort(colonPort) {
+				return nil, fmt.Errorf("invalid port %q after host", colonPort)
+			}
 		}
 	}
 

uri_test.go

@@ -203,6 +203,22 @@ func TestURIUpdate(t *testing.T) {
 	testURIUpdate(t, "http://example.net/", "//example.com:8080/", "http://example.com:8080/")
 }
 
+func TestURIRejectsMixedBracketHost(t *testing.T) {
+	t.Parallel()
+
+	tests := []string{
+		"http://127.0.0.1[192.168.0.1]/",
+		"http://example.com[fd00::1]/",
+	}
+
+	for _, raw := range tests {
+		var u URI
+		if err := u.Parse(nil, []byte(raw)); err == nil {
+			t.Fatalf("expected error for %q", raw)
+		}
+	}
+}
+
 func testURIUpdate(t *testing.T, base, update, result string) {
 	var u URI
 	u.Parse(nil, []byte(base)) //nolint:errcheck