From fe95091cb996ebc6c92bceace37b7e70c7528b67 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Mon, 27 Sep 2021 23:01:39 +0300
Subject: [PATCH] Explicitly check stored digest

---
 main.go    |  2 +-
 refresh.go | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/main.go b/main.go
index 83bde1b..772d3bf 100644
--- a/main.go
+++ b/main.go
@@ -44,7 +44,7 @@ import (
 )
 
 const (
-	Version   = "3.1.0"
+	Version   = "3.2.0"
 	UserAgent = "GoCheese/" + Version
 )
 
diff --git a/refresh.go b/refresh.go
index 59c8ceb..0138e7d 100644
--- a/refresh.go
+++ b/refresh.go
@@ -25,6 +25,7 @@ import (
 	"crypto/sha512"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"hash"
 	"io"
 	"io/ioutil"
@@ -427,6 +428,15 @@ func refreshDir(
 				http.Error(w, "digest mismatch", http.StatusBadGateway)
 				return false
 			}
+			if digestStored, err := ioutil.ReadFile(path + "." + hashAlgo); err == nil &&
+				bytes.Compare(digest, digestStored) != 0 {
+				err = errors.New("stored digest mismatch")
+				log.Println("error", r.RemoteAddr, "pypi", filename, err)
+				os.Remove(dst.Name())
+				dst.Close()
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return false
+			}
 			if !NoSync {
 				if err = dst.Sync(); err != nil {
 					os.Remove(dst.Name())
-- 
2.44.0