perform case-insensitive hash comparisons

pypa · May 25, 2024 · 65da1f9 · 65da1f9
1 parent fb71f4c
commit 65da1f9
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/news/12680.bugfix.rst b/news/12680.bugfix.rst
@@ -0,0 +1 @@
+Perform hash comparisons in a case-insensitive manner.
diff --git a/src/pip/_internal/utils/hashes.py b/src/pip/_internal/utils/hashes.py
@@ -82,7 +82,7 @@ def check_against_chunks(self, chunks: Iterable[bytes]) -> None:
                 hash.update(chunk)
 
         for hash_name, got in gots.items():
-            if got.hexdigest() in self._allowed[hash_name]:
+            if got.hexdigest() in [x.lower() for x in self._allowed[hash_name]]:
                 return
         self._raise(gots)
 

diff --git a/tests/functional/test_install.py b/tests/functional/test_install.py
@@ -619,6 +619,18 @@ def test_hashed_install_failure(script: PipTestEnvironment, tmpdir: Path) -> Non
     assert len(result.files_created) == 0
 
 
+def test_case_insensitive_hashed_install_success(
+    script: PipTestEnvironment, tmpdir: Path
+) -> None:
+    """Test that hashes that differ only by case don't halt installation."""
+    with requirements_file(
+        "simple2==1.0 --hash=sha256:9336AF72CA661E6336EB87BC7DE3E8844D853E"
+        "3848C2B9BBD2E8BF01DB88C2C7\n",
+        tmpdir,
+    ) as reqs_file:
+        script.pip_install_local("-r", reqs_file.resolve())
+
+
 def test_link_hash_pass_require_hashes(
     script: PipTestEnvironment, shared_data: TestData
 ) -> None: