Check --name value if it's passed in, as that's not validated anywhere

src/Composer/Command/InitCommand.php

@@ -171,6 +171,12 @@ EOT
                 // package names must be in the format foo/bar
                 $name = $name . '/' . $name;
             }
+        } else {
+            if (!preg_match('{^[a-z0-9_.-]+/[a-z0-9_.-]+$}', $name)) {
+                throw new \InvalidArgumentException(
+                    'The package name '.$name.' is invalid, it should be lowercase and have a vendor name, a forward slash, and a package name, matching: [a-z0-9_.-]+/[a-z0-9_.-]+'
+                );
+            }
         }
 
         $name = $dialog->askAndValidate(