github/meteor
1
1
Fork 0
mirror of https://github.com/meteor/meteor.git synced 2026-05-02 03:01:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

followon to previous commit: actually use whitelist instead of blacklist for package name contents.

Browse Source
This commit is contained in:
Nick Martin
2013-08-06 15:55:06 -07:00
parent e7bb166a02
commit a9a99ceafd
1 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
tools/library.js
View File

@@ -175,12 +175,15 @@ _.extend(Library.prototype, {
return self.loadedPackages[name].pkg;
}
// Check for invalid package names.
// Check for invalid package names. Currently package names can only
// contain ASCII alphanumerics and dash, and must contain at least
// one non-digit-or-dash.
//
// XXX should we be even stricter and whitelist something like
// /\-_A-Za-z0-9/ instead of blacklisting some special characters?
// What about unicode package names?
if (/[\.\?|'"#<>\(\)]/.test(name)) {
// We don't support '.' because it is used as the separator between
// a package name and a slice. This might want to change.
//
// XXX revisit this later. What about unicode package names?
if (/[^A-Za-z0-9\-]/.test(name) || !/[A-Za-z]/.test(name) ) {
if (throwOnError === false)
return null;
throw new Error("Invalid package name: " + name);