[PR #802] [MERGED] fix: validate RequestCookies names before mutating Cookie header #856

New issue

Closed

opened 2026-05-06 13:10:29 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 13:10:29 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/802
Author: @southpolesteve
Created: 4/9/2026
Status: ✅ Merged
Merged: 4/9/2026
Merged by: @southpolesteve

Base: main ← Head: fix/validate-next-server-request-cookie-names

📝 Commits (1)

b487620 fix: validate RequestCookies names before mutating Cookie header

📊 Changes

2 files changed (+34 additions, -1 deletions)

View changed files

📝 packages/vinext/src/shims/server.ts (+6 -1)
📝 tests/shims.test.ts (+28 -0)

📄 Description

Summary

Add cookie-name validation to next/server's RequestCookies API before mutating the raw Cookie request header.

Details

RequestCookies.set() and delete() in packages/vinext/src/shims/server.ts rewrite the incoming Cookie request header. Unlike the next/headers cookie shim and ResponseCookies, this code path did not validate cookie names before serializing them back into the header.

This change adds validateCookieName() checks to:

RequestCookies.set(name, value)
RequestCookies.set({ name, value })
RequestCookies.delete(name)
RequestCookies.delete([name1, name2, ...])

Tests

Adds focused direct tests against the next/server RequestCookies API covering:

invalid names with =
invalid names with ;
invalid names with CRLF
empty names
object-form set({ name, value })
invalid names in array-form delete([...])

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/802 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 4/9/2026 **Status:** ✅ Merged **Merged:** 4/9/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/validate-next-server-request-cookie-names` --- ### 📝 Commits (1) - [`b487620`](https://github.com/cloudflare/vinext/commit/b487620c58fb677cb5039b3fecec0cfe5f901496) fix: validate RequestCookies names before mutating Cookie header ### 📊 Changes **2 files changed** (+34 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/shims/server.ts` (+6 -1) 📝 `tests/shims.test.ts` (+28 -0) </details> ### 📄 Description ## Summary Add cookie-name validation to `next/server`'s `RequestCookies` API before mutating the raw `Cookie` request header. ## Details `RequestCookies.set()` and `delete()` in `packages/vinext/src/shims/server.ts` rewrite the incoming `Cookie` request header. Unlike the `next/headers` cookie shim and `ResponseCookies`, this code path did not validate cookie names before serializing them back into the header. This change adds `validateCookieName()` checks to: - `RequestCookies.set(name, value)` - `RequestCookies.set({ name, value })` - `RequestCookies.delete(name)` - `RequestCookies.delete([name1, name2, ...])` ## Tests Adds focused direct tests against the `next/server` `RequestCookies` API covering: - invalid names with `=` - invalid names with `;` - invalid names with CRLF - empty names - object-form `set({ name, value })` - invalid names in array-form `delete([...])` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>