`cabal update` doesn't validate new package db

[kolmodin]

I ran into a situation where my package db was replaced with a captive portal's HTML.
After unsuccessfully logging into my hotel's wifi, I ran cabal update. It replaced my old package db with the file it downloaded. Unfortunately the file was just the captive portal's HTML.
Apparently no validation is done when a new package db is downloaded, to make sure that it's actually a valid package db, and from the expected source.
I would expect that cabal should not replace the package db with anything else than a new valid package db.

kolmodin ~ $ cabal update
Downloading the latest package list from hackage.haskell.org
cabal: data is not in tar format
kolmodin ~ $ cabal list
cabal: data is not in tar format
kolmodin ~ $ cabal --version
cabal-install version 1.22.4.0
using version 1.22.2.0 of the Cabal library 
kolmodin ~ $ 

[kolmodin]

Next, this happened;

kolmodin ~ $ cabal update
Downloading the latest package list from hackage.haskell.org
cabal: Codec.Compression.Zlib: premature end of compressed stream
kolmodin ~ $ cabal update
Downloading the latest package list from hackage.haskell.org
Skipping download: Local and remote files match.
kolmodin ~ $

It managed to download part of the package db. It also saved the .etag, and then refused to download again, even though the current copy is corrupted.