Addresses Issue pypa#5572: Implement PIP_TRUSTED_HOSTS logic...

Duplicated logic around line 204 in core.py to allow users to specify index via --index command-line option and validate against PIP_TRUSTED_HOSTS when determining verify_ssl value.
kalebmckale · Jan 21, 2023 · 7c5dcde · 7c5dcde
1 parent e8a7b45
commit 7c5dcde
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/pipenv/core.py b/pipenv/core.py
@@ -2432,8 +2432,21 @@ def do_install(
                 )
                 # Add the package to the Pipfile.
                 if index_url:
+                    trusted_hosts = get_trusted_hosts()
+                    host_and_port = get_host_and_port(index_url)
+                    require_valid_https = not any(
+                        (
+                            v in trusted_hosts
+                            for v in (
+                                host_and_port,
+                                host_and_port.partition(":")[
+                                    0
+                                ],  # also check if hostname without port is in trusted_hosts
+                            )
+                        )
+                    )
                     index_name = project.add_index_to_pipfile(
-                        index_url, verify_ssl=index_url.startswith("https:")
+                        index_url, verify_ssl=require_valid_https
                     )
                     pkg_requirement.index = index_name
                 try: