when file urls have hash fragments, check it

qwcode · qwcode · commit eb7a31e01961 · 2014-02-01T14:04:58.000-08:00
diff --git a/pip/download.py b/pip/download.py
@@ -625,7 +625,6 @@ def unpack_http_url(link, location, download_cache, download_dir=None,
 def unpack_file_url(link, location, download_dir=None):
 
     link_path = url_to_path(link.url_without_fragment)
-    from_path = None
     already_downloaded = False
 
     # If it's a url to a local directory
@@ -635,6 +634,11 @@ def unpack_file_url(link, location, download_dir=None):
         shutil.copytree(link_path, location, symlinks=True)
         return
 
+    # if link has a hash, let's confirm it matches
+    if link.hash:
+        link_path_hash = _get_hash_from_file(link_path, link)
+        _check_hash(link_path_hash, link)
+
     # If a download dir is specified, is the file already there and valid?
     if download_dir:
         download_path = os.path.join(download_dir, link.filename)
@@ -655,16 +659,17 @@ def unpack_file_url(link, location, download_dir=None):
             else:
                 already_downloaded = True
 
-    # a download dir is specified and not already downloaded
-    if download_dir and not already_downloaded:
-        content_type = mimetypes.guess_type(link_path)[0]
-        _copy_file(link_path, download_dir, content_type, link)
-
-    # unpack the archive to the build dir location. even when only downloading
-    # archives, they have to be unpacked to parse dependencies
     if already_downloaded:
         from_path = download_path
     else:
         from_path = link_path
+
     content_type = mimetypes.guess_type(from_path)[0]
+
+    # unpack the archive to the build dir location. even when only downloading
+    # archives, they have to be unpacked to parse dependencies
     unpack_file(from_path, location, content_type, link)
+
+    # a download dir is specified and not already downloaded
+    if download_dir and not already_downloaded:
+        _copy_file(from_path, download_dir, content_type, link)
diff --git a/tests/unit/test_download.py b/tests/unit/test_download.py
@@ -8,6 +8,7 @@
 
 import pip
 from pip.backwardcompat import urllib, BytesIO, b, pathname2url
+from pip.exceptions import HashMismatch
 from pip.download import (PipSession, path_to_url, unpack_http_url,
                           url_to_path, unpack_file_url)
 from pip.index import Link
@@ -229,6 +230,16 @@ def test_unpack_file_url_download_already_exists(self, tmpdir,
         assert dist_path2_md5 == hashlib.md5(
             open(dest_file, 'rb').read()).hexdigest()
 
+    def test_unpack_file_url_bad_hash(self, tmpdir, data,
+                                      monkeypatch):
+        """
+        Test when the file url hash fragment is wrong
+        """
+        self.prep(tmpdir, data)
+        self.dist_url.url = "%s#md5=bogus" % self.dist_url.url
+        with pytest.raises(HashMismatch):
+            unpack_file_url(self.dist_url, self.build_dir)
+
     def test_unpack_file_url_download_bad_hash(self, tmpdir, data,
                                                monkeypatch):
         """
