From 74b10151641cf099fae7a94b87260c2851e7c7db Mon Sep 17 00:00:00 2001 From: Erik Dubbelboer Date: Sat, 27 Sep 2025 10:25:14 +0200 Subject: [PATCH] Reject bad ipv6 hostnames --- uri.go | 19 +++++++++++++------ uri_test.go | 16 ++++++++++++++++ 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/uri.go b/uri.go index dff8a2ca53..fb9dc5302f 100644 --- a/uri.go +++ b/uri.go @@ -445,13 +445,20 @@ func parseHost(host []byte) ([]byte, error) { } return append(host1, append(host2, host3...)...), nil } - } else if i := bytes.LastIndexByte(host, ':'); i != -1 { - if bytes.IndexByte(host[:i], ':') != -1 { - return nil, fmt.Errorf("invalid host %q with multiple port delimiters", host) + } else { + if bytes.ContainsAny(host, "[]") { + return nil, fmt.Errorf("invalid host %q", host) } - colonPort := host[i:] - if !validOptionalPort(colonPort) { - return nil, fmt.Errorf("invalid port %q after host", colonPort) + + if i := bytes.LastIndexByte(host, ':'); i != -1 { + if bytes.IndexByte(host[:i], ':') != -1 { + return nil, fmt.Errorf("invalid host %q with multiple port delimiters", host) + } + + colonPort := host[i:] + if !validOptionalPort(colonPort) { + return nil, fmt.Errorf("invalid port %q after host", colonPort) + } } } diff --git a/uri_test.go b/uri_test.go index ec17dd196f..631dbeb364 100644 --- a/uri_test.go +++ b/uri_test.go @@ -203,6 +203,22 @@ func TestURIUpdate(t *testing.T) { testURIUpdate(t, "http://example.net/", "//example.com:8080/", "http://example.com:8080/") } +func TestURIRejectsMixedBracketHost(t *testing.T) { + t.Parallel() + + tests := []string{ + "http://127.0.0.1[192.168.0.1]/", + "http://example.com[fd00::1]/", + } + + for _, raw := range tests { + var u URI + if err := u.Parse(nil, []byte(raw)); err == nil { + t.Fatalf("expected error for %q", raw) + } + } +} + func testURIUpdate(t *testing.T, base, update, result string) { var u URI u.Parse(nil, []byte(base)) //nolint:errcheck