EVEIGB_SECURE_HEADERS mode.

This enables some basic validation on headers coming into the client and validation of the data in the headers. Hopefully to provide a few extra roadblocks against fake/corrupt requests.
2025-12-22 13:09:20 +00:00 · 2013-10-13 18:14:18 +01:00
parent 3179695ce1
commit bb54f78006
3 changed files with 133 additions and 31 deletions
--- a/eveigb/middleware.py
+++ b/eveigb/middleware.py
@@ -1,23 +1,26 @@
+from django.conf import settings
+
+# List of IGB headers, their type, and if they're expected in a all requests
 EVE_IGB_HEADERS = [
-    'HTTP_EVE_SERVERIP',
-    'HTTP_EVE_CHARNAME',
-    'HTTP_EVE_CHARID',
-    'HTTP_EVE_CORPNAME',
-    'HTTP_EVE_CORPID',
-    'HTTP_EVE_ALLIANCENAME',
-    'HTTP_EVE_ALLIANCEID',
-    'HTTP_EVE_REGIONNAME',
-    'HTTP_EVE_CONSTELLATIONNAME',
-    'HTTP_EVE_SOLARSYSTEMNAME',
-    'HTTP_EVE_STATIONNAME',
-    'HTTP_EVE_STATIONID',
-    'HTTP_EVE_CORPROLE',
-    'HTTP_EVE_SHIPNAME',
-    'HTTP_EVE_SHIPTYPEID',
-    'HTTP_EVE_SHIPTYPENAME',
-    'HTTP_EVE_SHIPID',
-    'HTTP_EVE_SOLARSYSTEMID',
-    'HTTP_EVE_WARFACTIONID',
+    ('HTTP_EVE_SERVERIP', False, 'str'),
+    ('HTTP_EVE_CHARNAME', True, 'str'),
+    ('HTTP_EVE_CHARID', True, 'int'),
+    ('HTTP_EVE_CORPNAME', True, 'str'),
+    ('HTTP_EVE_CORPID', True, 'int'),
+    ('HTTP_EVE_ALLIANCENAME', False, 'str'),
+    ('HTTP_EVE_ALLIANCEID', False, 'int'),
+    ('HTTP_EVE_REGIONNAME', True, 'str'),
+    ('HTTP_EVE_CONSTELLATIONNAME', True, 'str'),
+    ('HTTP_EVE_SOLARSYSTEMNAME', True, 'str'),
+    ('HTTP_EVE_STATIONNAME', False, 'str'),
+    ('HTTP_EVE_STATIONID', False, 'int'),
+    ('HTTP_EVE_CORPROLE', True, 'int'),
+    ('HTTP_EVE_SHIPNAME', True, 'str'),
+    ('HTTP_EVE_SHIPTYPEID', True, 'int'),
+    ('HTTP_EVE_SHIPTYPENAME', True, 'str'),
+    ('HTTP_EVE_SHIPID', True, 'int'),
+    ('HTTP_EVE_SOLARSYSTEMID', True, 'int'),
+    ('HTTP_EVE_WARFACTIONID', False, 'int'),
 ]


@@ -32,11 +35,22 @@ class IGBMiddleware(object):
        request.is_igb_trusted = False

        if 'EVE-IGB' in request.META.get('HTTP_USER_AGENT', ''):
+            if getattr(settings, 'EVEIGB_SECURE_HEADERS', False):
+                for hdr, req, typ in EVE_IGB_HEADERS:
+                    if not req:
+                        continue
+                    if not hdr in request.META:
+                        return
+                    if typ == 'int':
+                        try:
+                            long(request.META.get(hdr))
+                        except ValueError:
+                            return
            request.is_igb = True
            if request.META.get('HTTP_EVE_TRUSTED', 'No') == 'Yes':
                request.is_igb_trusted = True

-                for header in EVE_IGB_HEADERS:
+                for header, req, typ in EVE_IGB_HEADERS:
                    if header in request.META:
                        setattr(request, header.replace('HTTP_', '').lower(), request.META.get(header))