RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DJANGO TIGHTENS SECURITY ON HTTP HEADERS AND ADMIN QUERYSETS

By RepoJournal · Filed · About Django

Django patched control character injection in HttpResponse headers and fixed a critical inconsistency where admin change forms ignored custom queryset filtering.

The security fix [1] blocks control characters in HttpResponse reason_phrase attributes, preventing header injection attacks that could slip malicious content past validators. This closes a gap that existed because the reason_phrase setter had no validation, making it a clear exploit vector. On the admin side, a consistency fix [2] resolves ticket #37117 by making change form actions respect ModelAdmin.get_queryset() the same way the change list does [3]. Before this patch, admins with custom queryset logic (annotations, stricter filtering, custom managers) would see different data in the change form than in the list, creating silent data integrity issues. The djangoproject.com release checklist was also prepped for the next alpha cycle [4] with branch protection rule automation and ReadTheDocs corrections [5] [6], setting the pipeline for smoother future releases.

Action items

References

  1. [1] Fixed #37100 -- Prevented control characters in HttpResponse reason_phrase. ↗ django/django
  2. [2] Fixed #37117 -- Used ModelAdmin.get_queryset() for change form actions. ↗ django/django
  3. [3] Fixed #37117 -- Used ModelAdmin.get_queryset() for change form actions. django/django
  4. [4] [checklists] Removed stable branch prefix from feature freeze man page update. django/djangoproject.com
  5. [5] [checklists] Fixed typo in ReadTheDocs search step. django/djangoproject.com
  6. [6] [checklists] Updates after 6.1 alpha ↗ django/djangoproject.com

FAQ

What changed in Django on May 23, 2026?
Django patched control character injection in HttpResponse headers and fixed a critical inconsistency where admin change forms ignored custom queryset filtering.
What should Django teams do about it?
Review admin change forms for custom get_queryset() logic and test against this patch • Audit any code setting HttpResponse reason_phrase with user input • Watch djangoproject.com release checklist changes for alpha branch workflow updates
Which Django repositories shipped on May 23, 2026?
django/django, django/djangoproject.com

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.