pypa · dstufft · Jan 10, 2014 · Jan 10, 2014
diff --git a/pip/index.py b/pip/index.py
@@ -56,6 +56,9 @@ def __init__(self, find_links, index_urls,
             normalize_name(n) for n in allow_unverified
         )
 
+        # Anything that is allowed unverified is also allowed external
+        self.allow_external |= self.allow_unverified
+
         # Do we allow all (safe and verifiable) externally hosted files?
         self.allow_all_external = allow_all_external
 

diff --git a/tests/unit/test_finder.py b/tests/unit/test_finder.py
@@ -484,6 +484,22 @@ def test_finder_finds_external_links_without_hashes_scraped_all_all_insecure(dat
     link = finder.find_requirement(req, False)
     assert link.filename == "bar-4.0.tar.gz"
 
+
+def test_finder_finds_external_links_without_hashes_scraped_insecure(data):
+    """
+    Tests that PackageFinder finds externally scraped links without the
+    external flag
+    """
+    req = InstallRequirement.from_line("bar", None)
+
+    # using a local index
+    finder = PackageFinder([], [data.index_url("externals")],
+                allow_unverified=["bar"],
+            )
+    link = finder.find_requirement(req, False)
+    assert link.filename == "bar-4.0.tar.gz"
+
+
 class test_link_package_versions(object):
 
     # patch this for travis which has distribute in it's base env for now