From: Fabian Munkes <105975993+fmunkes@users.noreply.github.com>
Date: Sun, 8 Feb 2026 18:34:29 +0000 (+0100)
Subject: Sanitize queue_item.name in icy headers (#3112)
X-Git-Url: https://git.kitaultman.com/?a=commitdiff_plain;h=3806ff696882cd307e9866c70a863609440faa71;p=music-assistant-server.git

Sanitize queue_item.name in icy headers (#3112)
---

diff --git a/music_assistant/controllers/streams/streams_controller.py b/music_assistant/controllers/streams/streams_controller.py
index 683b8e95..7dcd9447 100644
--- a/music_assistant/controllers/streams/streams_controller.py
+++ b/music_assistant/controllers/streams/streams_controller.py
@@ -448,9 +448,11 @@ class StreamsController(CoreController):
         )
 
         # prepare request, add some DLNA/UPNP compatible headers
+        # icy-name is sanitized to avoid a "Potential header injection attack" exception by aiohttp
+        # see https://github.com/music-assistant/support/issues/4913
         headers = {
             **DEFAULT_STREAM_HEADERS,
-            "icy-name": queue_item.name,
+            "icy-name": queue_item.name.replace("\n", " ").replace("\r", " ").replace("\t", " "),
             "contentFeatures.dlna.org": "DLNA.ORG_OP=01;DLNA.ORG_FLAGS=01500000000000000000000000000000",  # noqa: E501
             "Accept-Ranges": "none",
             "Content-Type": f"audio/{output_format.output_format_str}",