User-controlled cookie values and parameters can allow injecting HTTP headers. Fix rejects all control characters within cookie names, values, and parameters.