xilopaint

It’s possible to send data to STDIN via subprocess.Popen.communicate but it's not an option for me because this method waits for the child process to finish to return and I can't read from STDOUT meanwhile.

Update (v3.1.2) • Improved fix for the shell injection bug.

@vitor, this is my command now: cmd = f'echo | {os.path.dirname(__file__)}/bin/k2pdfopt {shlex.quote(pdf_path)} -as -mode copy -n -o "%s [optimized].pdf" -x' As you can see I use echo to pass a newline to the next command where the binary k2pdfopt is executed. This is necessary because k2pdfopt is a CLI that waits for a newline to proceed: This is the reason why I need shell=True as you cannot run multiple commands without a shell. Also, I cannot use the array method. Thanks for the link! I was not aware about shlex.quote. I just released a new version using this function and it’s enough to prevent command injection through command substitution. Unfortunately, k2pdfopt cannot handle filepaths with double quotes yet, so I reported this to developer. Now the only blocked paths are those with double quotes. I consider this a win.

Hey @vitor, ignore my last post. I investigated the issue more deeply and will get back with a new post on why I think there’s no easy alternative to using shell=True in this case.

I mean shell=True and not the array method. Because I offer some kind of progress bar in real-time with a re-running script filter. It shows how many pages of the PDF file were already processed and the progress percentage. As far as I know I can’t get this in real-time with any other subprocess method than subprocess.Popen with shell=True.

Yes, but it's necessary in my case because I need to read STDOUT to give the user the possibility to track the progress of the shell process through a script filter. I had given up on the array method because Python docs recommend against it if shell=True (I don't understand why, btw). Could you give me an example on how a shellescaped string of a filepath would look like in this case? What do you mean with bespoke? Btw, I check the user input for preventing subprocess.Popen to run. Why is that not a solution if it solves the problem? Anyway I'm still open for a more elegant solution, of course.

Here you can see the start of the code block. I'm sending the command through this variable: cmd = f'echo -y | {os.path.dirname(__file__)}/bin/k2pdfopt "{pdf_path}" -as -mode copy -n -o "%s [optimized].pdf" -x' pdf_path is a variable that stores the input of the file action, basically Alfred {query}. As you can see it’s enclosed in double quotes. I tried this at some point, but it didn't work for some reason, so I found this in the docs and gave up: In my case shell=True.

Btw, it would be nice if some shell wizard like @vitoror someone else could try to hack the latest version of the workflow, but I think the bug is already fixed.

Guys, this is an important release as it fixes a critical bug that allowed shell injection. Anyone interested in having a harmless proof of concept of the bug can rename a PDF file as $(say boom).pdf and run the Optimize file action. Besides the critical nature of the bug, it’s extremely unlikely that it has ever been exploited since it depends on the user to run either Optimize or Deskew file actions in a PDF with a filename that causes command substitution. The bug was fixed by validating the user input — which is the file path in the case of a file action — and preventing subprocess.Popen to run. Now, an exception is raised if the input is illegal and the user receives a macOS notification with the warning. For better security, now the workflow is Bandit compliant.

Update (v3.1.1) • Fixed critical bug that allowed command injection via subprocess.Popen. • Code refactoring.

This is not a Skimmer workflow thread.

Could you share the link? I want to filter out those annoying results in other languages.

Hey @vitor, I can see you're the workflow creator. Where's this API documented? Btw, I'm currently getting suggestions in multiple languages, including English, Spanish and my own language. Apart of that the suggestions I get with the workflow are different from the ones I get by searching the Amazon website of my country on the browser. Is it possible to make the API filter results in a specific language?

Update (v3.1) • Added a Deskew file action.

If you don't want to reinstall Python 2 and follow the guidelines recommended by @vitoryou should ask the creator for a port to Python 3 or do it yourself.

No problem. Thank you too.

Workflows are not paid products.

@cleobiscould you review my PR?

Do you remember having any issues with Optimize in v2 and your ARM Mac?

Is there any difference between this workflow and this other one?

Thanks guys. All you guys can show your love by giving a star on the workflow's GitHub repo. Btw I would appreciate if anyone with an ARM Mac could tell me if this issue is still present in v3.

Now I can see that I get different results depending on whether or not I invoke the workflow with a maximized window as the frontmost. Is that intended behavior?

Alfred PDF Tools v3 has just been released.

Big changes were made in v3. Unfortunately, because of macOS constraints regarding unsigned binaries, the adoption of pikepdf made the new version around 5 seconds slower. Making the new version faster would require the user either installing pikepdf manually or allowing a large amount of binaries, which I decided to avoid. Any feedback about v3 is appreciated. Thanks to @katiefor testing beta builds before v3 release.

Update (v3.0) • Python 3 port. • PyPDF4 replaced with pikepdf.