diff options
Diffstat (limited to 'lib/bundler/fetcher.rb')
-rw-r--r-- | lib/bundler/fetcher.rb | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/lib/bundler/fetcher.rb b/lib/bundler/fetcher.rb index 5c1eac415e..08d1ee3437 100644 --- a/lib/bundler/fetcher.rb +++ b/lib/bundler/fetcher.rb @@ -81,7 +81,7 @@ module Bundler :HTTPRequestURITooLong, :HTTPUnauthorized, :HTTPUnprocessableEntity, :HTTPUnsupportedMediaType, :HTTPVersionNotSupported].freeze FAIL_ERRORS = begin - fail_errors = [AuthenticationRequiredError, BadAuthenticationError, AuthenticationForbiddenError, FallbackError] + fail_errors = [AuthenticationRequiredError, BadAuthenticationError, AuthenticationForbiddenError, FallbackError, SecurityError] fail_errors << Gem::Requirement::BadRequirementError fail_errors.concat(NET_ERRORS.map {|e| Net.const_get(e) }) end.freeze @@ -139,7 +139,16 @@ module Bundler fetch_specs(gem_names).each do |name, version, platform, dependencies, metadata| spec = if dependencies - EndpointSpecification.new(name, version, platform, self, dependencies, metadata) + EndpointSpecification.new(name, version, platform, self, dependencies, metadata).tap do |es| + unless index.local_search(es).empty? + # Duplicate spec.full_names, different spec.original_names + # index#<< ensures that the last one added wins, so if we're overriding + # here, make sure to also override the checksum, otherwise downloading the + # specs (even if that version is completely unused) will cause a SecurityError + source.checksum_store.delete_full_name(es.full_name) + end + source.checksum_store.register(es, [es.checksum]) if source && es.checksum + end else RemoteSpecification.new(name, version, platform, self) end |