From a9a99ceafd60687cb061c00a87cbadb43a84dd32 Mon Sep 17 00:00:00 2001
From: Nick Martin <nim@meteor.com>
Date: Tue, 6 Aug 2013 15:55:06 -0700
Subject: [PATCH] followon to previous commit: actually use whitelist instead
 of blacklist for package name contents.

---
 tools/library.js | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/tools/library.js b/tools/library.js
index 5db0d12700..4238bce28b 100644
--- a/tools/library.js
+++ b/tools/library.js
@@ -175,12 +175,15 @@ _.extend(Library.prototype, {
       return self.loadedPackages[name].pkg;
     }
 
-    // Check for invalid package names.
+    // Check for invalid package names. Currently package names can only
+    // contain ASCII alphanumerics and dash, and must contain at least
+    // one non-digit-or-dash.
     //
-    // XXX should we be even stricter and whitelist something like
-    // /\-_A-Za-z0-9/ instead of blacklisting some special characters?
-    // What about unicode package names?
-    if (/[\.\?|'"#<>\(\)]/.test(name)) {
+    // We don't support '.' because it is used as the separator between
+    // a package name and a slice. This might want to change.
+    //
+    // XXX revisit this later. What about unicode package names?
+    if (/[^A-Za-z0-9\-]/.test(name) || !/[A-Za-z]/.test(name) ) {
       if (throwOnError === false)
         return null;
       throw new Error("Invalid package name: " + name);