diff options
| author | Stéphane Bidoul <stephane.bidoul@gmail.com> | 2023-04-10 16:43:51 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-10 16:43:51 +0200 |
| commit | 5d4a974b60b37acdaeaea457196366678b0624a3 (patch) | |
| tree | 5bf0f217a5882b710f80757a6a9b8eba3fe624dd /src | |
| parent | 62e932ad2889f370e47aeae010b5e2a23a194d38 (diff) | |
| parent | 453a5a7e0738c9c0453a3a23db4ef74e9e4e41d7 (diff) | |
| download | pip-5d4a974b60b37acdaeaea457196366678b0624a3.tar.gz | |
Merge pull request #11938 from sbidoul/fix-direct-url-hash-trusted-sbi
Don't trust link hash in direct URL dependencies
Diffstat (limited to 'src')
| -rw-r--r-- | src/pip/_internal/req/req_install.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/pip/_internal/req/req_install.py b/src/pip/_internal/req/req_install.py index baa671638..e2353f032 100644 --- a/src/pip/_internal/req/req_install.py +++ b/src/pip/_internal/req/req_install.py @@ -287,7 +287,12 @@ class InstallRequirement: """ good_hashes = self.hash_options.copy() - link = self.link if trust_internet else self.original_link + if trust_internet: + link = self.link + elif self.original_link and self.user_supplied: + link = self.original_link + else: + link = None if link and link.hash: good_hashes.setdefault(link.hash_name, []).append(link.hash) return Hashes(good_hashes) |