Index: lib/python/ZPublisher/HTTPRequest.py
===================================================================
--- lib/python/ZPublisher/HTTPRequest.py	(revision 68139)
+++ lib/python/ZPublisher/HTTPRequest.py	(working copy)
@@ -63,6 +63,16 @@
 class NestedLoopExit( Exception ):
     pass
 
+class ReadOnlyDict(dict):
+    def __setitem__(self, key, value):
+        raise TypeError, 'Immutable'
+    def __delitem__(self, key):
+        raise TypeError, 'Immutable'
+    def update(self, other):
+        raise TypeError, 'Immutable'
+    def clear(self):
+        raise TypeError, 'Immutable'
+
 class HTTPRequest(BaseRequest):
     """\
     Model HTTP request data.
@@ -252,7 +262,7 @@
             del environ['HTTP_AUTHORIZATION']
 
         self.stdin=stdin
-        self.environ=environ
+        self.environ=ReadOnlyDict(environ)
         have_env=environ.has_key
         get_env=environ.get
         self.response=response
Index: lib/python/ZPublisher/tests/testHTTPRequest.py
===================================================================
--- lib/python/ZPublisher/tests/testHTTPRequest.py	(revision 68139)
+++ lib/python/ZPublisher/tests/testHTTPRequest.py	(working copy)
@@ -684,7 +684,23 @@
         req.close()
         self.assertEqual(start_count, sys.getrefcount(s))  # The test
 
+    def test_environ_is_immutable(self):
+        from StringIO import StringIO
+        s = StringIO(TEST_FILE_DATA)
+        env = TEST_ENVIRON.copy()
+        env['to_replace'] = 'to_replace'
+        env['to_remove'] = 'to_remove'
+        from ZPublisher.HTTPRequest import HTTPRequest
+        req = HTTPRequest(s, env, None)
+        self.assertRaises(TypeError, req.environ.__setitem__,
+                            'hacked', 'hacked')
+        self.assertRaises(TypeError, req.environ.__setitem__,
+                            'to_replace', 'replaced')
+        self.assertRaises(TypeError, req.environ.__delitem__, 'to_remove')
+        self.assertRaises(TypeError, req.environ.update, {'hacked': 'hacked'})
+        self.assertRaises(TypeError, req.environ.clear)
 
+
 def test_suite():
     suite = unittest.TestSuite()
     suite.addTest(unittest.makeSuite(AuthCredentialsTestsa, 'test'))
Index: lib/python/OFS/tests/testRanges.py
===================================================================
--- lib/python/OFS/tests/testRanges.py	(revision 68139)
+++ lib/python/OFS/tests/testRanges.py	(working copy)
@@ -59,6 +59,9 @@
             r['Application'] = a
             self.root = a
             self.app = makerequest(self.root, stdout=self.responseOut)
+            # 'environ' is now immutable, so replace it to allow scribbling
+            #  in tests
+            self.app.REQUEST.environ = dict(self.app.REQUEST.environ)
             try: self.app._delObject(TESTFOLDER_NAME)
             except AttributeError: pass
             manage_addFolder(self.app, TESTFOLDER_NAME)