Fixes and improvements
General
- prevent code injection in case of MTX_QUERY in hooks (#5707) When MTX_QUERY is used explicitly in hooks, for instance "curl http://something/?$MTX_QUERY", it can be used to inject arbitrary commands. MTX_QUERY is now url-encoded to prevent any abuse regardless of the configuration.
- use temporary redirects instead of permanent redirects (#5710) this prevents unwanted caching.
HLS
- prevent open redirect attacks (#5708)
- support reading and writing KLV (#5604)
- add hlsCDNSecret (#5716) this allows to serve HLS streams behind a CDN in a simplified way, compatible with the new HLS session system.
- add public attribute to cache-control header (bluenviron/gohlslib#349)
- allow caching non-low-latency playlists (bluenviron/gohlslib#350)
WebRTC
- prevent open redirect attacks (#5708)
RPI Camera
- Merge request->controls instead of overwriting (bluenviron/mediamtx-rpicamera#97) libcamera 0.7.0 is more strict about changing controls; assignment is no longer allowed since raspberrypi/libcamera@310cd8b Instead, we use the merge call with overwrite.
Security
Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.
Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:
ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx
You can verify checksums of binaries by downloading checksums.sha256 and running:
cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check