Make headers and cookies non-writable after finalize-headers

[catagits/Catalyst-Runtime.git] / lib / Catalyst.pm

diff --git a/lib/Catalyst.pm b/lib/Catalyst.pm
index 8cb5af5..fde9681 100644 (file)
--- a/lib/Catalyst.pm
+++ b/lib/Catalyst.pm
@@ -16,6 +16,8 @@ use Path::Class;
 use Time::HiRes qw/gettimeofday tv_interval/;
 use URI;
 use Scalar::Util qw/weaken/;
+use Hash::Util qw/lock_hash/;
+use HTTP::Headers::ReadOnly;
 use attributes;
 
 __PACKAGE__->mk_accessors(
@@ -1023,7 +1025,11 @@ Finalizes cookies.
 
 =cut
 
-sub finalize_cookies { my $c = shift; $c->engine->finalize_cookies( $c, @_ ) }
+sub finalize_cookies {
+       my $c = shift;
+       $c->engine->finalize_cookies( $c, @_ );
+       lock_hash( %$_ ) for $c->res->cookies, values %{ $c->res->cookies };
+}
 
 =item $c->finalize_error
 
@@ -1066,6 +1072,8 @@ sub finalize_headers {
 
     $c->engine->finalize_headers( $c, @_ );
 
+       bless $c->response->headers, "HTTP::Headers::ReadOnly";
+
     # Done
     $c->response->{_finalized_headers} = 1;
 }
@@ -1774,6 +1782,9 @@ Writes $data to the output stream. When using this method directly, you
 will need to manually set the C<Content-Length> header to the length of
 your output data, if known.
 
+Also note that any headers created after the write can  no longer be added, and
+this includes cookies.
+
 =cut
 
 sub write {