Index: django/http/__init__.py
===================================================================
--- django/http/__init__.py	(revision 10248)
+++ django/http/__init__.py	(working copy)
@@ -263,6 +263,9 @@
         cookiedict[key] = c.get(key).value
     return cookiedict
 
+class BadHeaderError(ValueError):
+    pass
+
 class HttpResponse(object):
     """A basic HTTP response, with content and dictionary-accessed headers."""
 
@@ -301,6 +304,8 @@
     def _convert_to_ascii(self, *values):
         """Converts all values to ascii strings."""
         for value in values:
+            if '\n' in value or '\r' in value:
+                raise BadHeaderError("Header values can't contain newlines (got %r)" % (value))
             if isinstance(value, unicode):
                 try:
                     yield value.encode('us-ascii')
Index: tests/regressiontests/httpwrappers/tests.py
===================================================================
--- tests/regressiontests/httpwrappers/tests.py	(revision 10248)
+++ tests/regressiontests/httpwrappers/tests.py	(working copy)
@@ -444,6 +444,17 @@
 ...
 UnicodeEncodeError: ..., HTTP response headers must be in US-ASCII format
 
+# Bug #10188: Do not allow newlines in headers (CR or LF)
+>>> r['test\\rstr'] = 'test'
+Traceback (most recent call last):
+...
+BadHeaderError: Header values can't contain newlines (got 'test\\rstr')
+
+>>> r['test\\nstr'] = 'test'
+Traceback (most recent call last):
+...
+BadHeaderError: Header values can't contain newlines (got 'test\\nstr')
+
 #
 # Regression test for #8278: QueryDict.update(QueryDict)
 #
Index: docs/ref/request-response.txt
===================================================================
--- docs/ref/request-response.txt	(revision 10248)
+++ docs/ref/request-response.txt	(working copy)
@@ -445,6 +445,11 @@
     >>> response = HttpResponse()
     >>> response['Pragma'] = 'no-cache'
 
+.. versionadded:: 1.1
+
+HTTP headers cannot contain newlines. An attempt to set a header containing a
+newline character (CR or LF) will raise ``BadHeaderError``
+
 Telling the browser to treat the response as a file attachment
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~