-
Posts
896 -
Joined
-
Last visited
-
Days Won
24
Content Type
Blogs
Gallery
Downloads
Events
Profiles
Forums
Articles
Media Demo
Everything posted by xilopaint
-
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
It’s possible to send data to STDIN via subprocess.Popen.communicate but it's not an option for me because this method waits for the child process to finish to return and I can't read from STDOUT meanwhile. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Update (v3.1.2) • Improved fix for the shell injection bug. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
@vitor, this is my command now: cmd = f'echo | {os.path.dirname(__file__)}/bin/k2pdfopt {shlex.quote(pdf_path)} -as -mode copy -n -o "%s [optimized].pdf" -x' As you can see I use echo to pass a newline to the next command where the binary k2pdfopt is executed. This is necessary because k2pdfopt is a CLI that waits for a newline to proceed: This is the reason why I need shell=True as you cannot run multiple commands without a shell. Also, I cannot use the array method. Thanks for the link! I was not aware about shlex.quote. I just released a new version using this function and it’s enough to prevent command injection through command substitution. Unfortunately, k2pdfopt cannot handle filepaths with double quotes yet, so I reported this to developer. Now the only blocked paths are those with double quotes. I consider this a win. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Hey @vitor, ignore my last post. I investigated the issue more deeply and will get back with a new post on why I think there’s no easy alternative to using shell=True in this case. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
I mean shell=True and not the array method. Because I offer some kind of progress bar in real-time with a re-running script filter. It shows how many pages of the PDF file were already processed and the progress percentage. As far as I know I can’t get this in real-time with any other subprocess method than subprocess.Popen with shell=True. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Yes, but it's necessary in my case because I need to read STDOUT to give the user the possibility to track the progress of the shell process through a script filter. I had given up on the array method because Python docs recommend against it if shell=True (I don't understand why, btw). Could you give me an example on how a shellescaped string of a filepath would look like in this case? What do you mean with bespoke? Btw, I check the user input for preventing subprocess.Popen to run. Why is that not a solution if it solves the problem? Anyway I'm still open for a more elegant solution, of course. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Here you can see the start of the code block. I'm sending the command through this variable: cmd = f'echo -y | {os.path.dirname(__file__)}/bin/k2pdfopt "{pdf_path}" -as -mode copy -n -o "%s [optimized].pdf" -x' pdf_path is a variable that stores the input of the file action, basically Alfred {query}. As you can see it’s enclosed in double quotes. I tried this at some point, but it didn't work for some reason, so I found this in the docs and gave up: In my case shell=True. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Btw, it would be nice if some shell wizard like @vitoror someone else could try to hack the latest version of the workflow, but I think the bug is already fixed. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Guys, this is an important release as it fixes a critical bug that allowed shell injection. Anyone interested in having a harmless proof of concept of the bug can rename a PDF file as $(say boom).pdf and run the Optimize file action. Besides the critical nature of the bug, it’s extremely unlikely that it has ever been exploited since it depends on the user to run either Optimize or Deskew file actions in a PDF with a filename that causes command substitution. The bug was fixed by validating the user input — which is the file path in the case of a file action — and preventing subprocess.Popen to run. Now, an exception is raised if the input is illegal and the user receives a macOS notification with the warning. For better security, now the workflow is Bandit compliant. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Update (v3.1.1) • Fixed critical bug that allowed command injection via subprocess.Popen. • Code refactoring. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
This is not a Skimmer workflow thread. -
Could you share the link? I want to filter out those annoying results in other languages.
-
Hey @vitor, I can see you're the workflow creator. Where's this API documented? Btw, I'm currently getting suggestions in multiple languages, including English, Spanish and my own language. Apart of that the suggestions I get with the workflow are different from the ones I get by searching the Amazon website of my country on the browser. Is it possible to make the API filter results in a specific language?
-
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Update (v3.1) • Added a Deskew file action. -
If you don't want to reinstall Python 2 and follow the guidelines recommended by @vitoryou should ask the creator for a port to Python 3 or do it yourself.
-
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
No problem. Thank you too. -
@cleobiscould you review my PR?
-
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Do you remember having any issues with Optimize in v2 and your ARM Mac? -
Is there any difference between this workflow and this other one?
-
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Thanks guys. All you guys can show your love by giving a star on the workflow's GitHub repo. Btw I would appreciate if anyone with an ARM Mac could tell me if this issue is still present in v3. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Big changes were made in v3. Unfortunately, because of macOS constraints regarding unsigned binaries, the adoption of pikepdf made the new version around 5 seconds slower. Making the new version faster would require the user either installing pikepdf manually or allowing a large amount of binaries, which I decided to avoid. Any feedback about v3 is appreciated. Thanks to @katiefor testing beta builds before v3 release. -
Alfred PDF Tools – Optimize, encrypt and manipulate PDF files
xilopaint replied to xilopaint's topic in Share your Workflows
Update (v3.0) • Python 3 port. • PyPDF4 replaced with pikepdf.