Explicitly required SHA256 digest information

diff --git a/gocheese.go b/gocheese.go
index 2ba14d6616f6a328a98127dd8cf223806ff908ba..655908d47f789735bc84033a9ef6b006991d0185 100644 (file)
--- a/gocheese.go
+++ b/gocheese.go
@@ -151,6 +151,11 @@ func refreshDir(
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return false
                }
+               if !strings.HasPrefix(pkgURL.Fragment, SHA256Prefix) {
+                       log.Println(r.RemoteAddr, "pypi", filename, "no SHA256 digest provided")
+                       http.Error(w, "no SHA256 digest provided", http.StatusBadGateway)
+                       return false
+               }
                digest, err = hex.DecodeString(strings.TrimPrefix(pkgURL.Fragment, SHA256Prefix))
                if err != nil {
                        http.Error(w, err.Error(), http.StatusBadGateway)