GHSA-q4ph-8x8g-95f8: AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field

The cleanUpString() method in ConfigWriter.php uses an ungreedy regex to strip Liquidsoap string interpolation patterns (#{...}) from user input. This regex can be bypassed via nested interpolation syntax (#{#{EXPR}}), allowing injection of arbitrary Liquidsoap code. Commit ff49ef4 migrated most user-controlled fields to the safe toRawString() method but left the remote relay password field using the vulnerable cleanUpString(). A user with the RemoteRelays station permission can achieve arbitrary code execution in the Liquidsoap process, leak internal API keys, or disrupt station operation.