Addresses Issue pypa#5572: Implement PIP_TRUSTED_HOSTS logic...

kalebmckale · kalebmckale · commit 7c5dcde5f389 · 2023-01-21T18:47:56.000-05:00
Duplicated logic around line 204 in core.py to allow users to specify
index via --index command-line option and validate against
PIP_TRUSTED_HOSTS when determining verify_ssl value.
diff --git a/pipenv/core.py b/pipenv/core.py
@@ -2432,8 +2432,21 @@ def do_install(
                 )
                 # Add the package to the Pipfile.
                 if index_url:
+                    trusted_hosts = get_trusted_hosts()
+                    host_and_port = get_host_and_port(index_url)
+                    require_valid_https = not any(
+                        (
+                            v in trusted_hosts
+                            for v in (
+                                host_and_port,
+                                host_and_port.partition(":")[
+                                    0
+                                ],  # also check if hostname without port is in trusted_hosts
+                            )
+                        )
+                    )
                     index_name = project.add_index_to_pipfile(
-                        index_url, verify_ssl=index_url.startswith("https:")
+                        index_url, verify_ssl=require_valid_https
                     )
                     pkg_requirement.index = index_name
                 try:
