Fix issue #510 - prevent sdist filename matches on partial project names....

Fix issue #510 - prevent sdist filename matches on partial project names. Thanks casevh for the report.

docs/news.txt

@@ -13,6 +13,10 @@ Beta and final releases planned for the second half of 2012.
 develop (unreleased)
 -------------------
 
+* Fixed issue #510 - prevent e.g. ``gmpy2-2.0.tar.gz`` from matching a request
+  to ``pip install gmpy``; sdist filename must begin with full project name
+  followed by a dash. Thanks casevh for the report.
+
 * Fixed issue #504 - allow package URLS to have querystrings. Thanks W.
   Trevor King.
 

pip/index.py

@@ -326,8 +326,10 @@ class PackageFinder(object):
         name = match.group(0).lower()
         # To match the "safe" name that pkg_resources creates:
         name = name.replace('_', '-')
-        if name.startswith(search_name.lower()):
-            return match.group(0)[len(search_name):].lstrip('-')
+        # project name and version must be separated by a dash
+        look_for = search_name.lower() + "-"
+        if name.startswith(look_for):
+            return match.group(0)[len(look_for):]
         else:
             return None
 

tests/test_finder.py

@@ -16,3 +16,12 @@ def test_no_mpkg():
     found = finder.find_requirement(req, False)
 
     assert found.url.endswith("pkgwithmpkg-1.0.tar.gz"), found
+
+
+def test_no_partial_name_match():
+    """Finder requires the full project name to match, not just beginning."""
+    finder = PackageFinder([find_links], [])
+    req = InstallRequirement.from_line("gmpy")
+    found = finder.find_requirement(req, False)
+
+    assert found.url.endswith("gmpy-1.15.tar.gz"), found