Reject invalid hosts with multiple port delimiters

Author: erikdubbelboer

uri.go

@@ -398,6 +398,9 @@ func parseHost(host []byte) ([]byte, error) {
 			return append(host1, append(host2, host3...)...), nil
 		}
 	} else if i := bytes.LastIndexByte(host, ':'); i != -1 {
+		if bytes.IndexByte(host[:i], ':') != -1 {
+			return nil, fmt.Errorf("invalid host %q with multiple port delimiters", host)
+		}
 		colonPort := host[i:]
 		if !validOptionalPort(colonPort) {
 			return nil, fmt.Errorf("invalid port %q after host", colonPort)

uri_test.go

@@ -104,6 +104,27 @@ func testURIPathEscape(t *testing.T, path, expectedRequestURI string) {
 	}
 }
 
+func TestURIRejectMultiplePorts(t *testing.T) {
+	t.Parallel()
+
+	testcases := []string{
+		"http://192.168.1.1:1111:2222/",
+		"http://example.com:80:8080/",
+	}
+
+	for _, raw := range testcases {
+		var u URI
+		if err := u.Parse(nil, []byte(raw)); err == nil {
+			t.Fatalf("expected Parse to fail for %q", raw)
+		}
+	}
+
+	var valid URI
+	if err := valid.Parse(nil, []byte("http://192.168.1.1:1111/")); err != nil {
+		t.Fatalf("unexpected error for valid uri: %v", err)
+	}
+}
+
 func TestURIUpdate(t *testing.T) {
 	t.Parallel()