From 905711f0a1ee3a656af350917783d6472b3c2aab Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Wed, 14 Jan 2015 13:49:43 +0100 Subject: [PATCH] contrib: improve optimize-pngs.py - Check that image contents match pre- and post- crushing. - Also remove use of external tool to compute sha256 in favor of hashlib. - contrib: remove all use of shell=True in strip_pngs.py Using `shell=True` can be a security hazard. See e.g. https://docs.python.org/2/library/subprocess.html#subprocess.check_output --- contrib/devtools/optimize-pngs.py | 42 ++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/contrib/devtools/optimize-pngs.py b/contrib/devtools/optimize-pngs.py index 774968fc0..38aaa00f3 100755 --- a/contrib/devtools/optimize-pngs.py +++ b/contrib/devtools/optimize-pngs.py @@ -3,12 +3,28 @@ import os import sys import subprocess +import hashlib +from PIL import Image + +def file_hash(filename): + '''Return hash of raw file contents''' + with open(filename, 'rb') as f: + return hashlib.sha256(f.read()).hexdigest() + +def content_hash(filename): + '''Return hash of RGBA contents of image''' + i = Image.open(filename) + i = i.convert('RGBA') + data = i.tostring() + return hashlib.sha256(data).hexdigest() #optimize png, remove various color profiles, remove ancillary chunks (alla) and text chunks (text) #pngcrush -brute -ow -rem gAMA -rem cHRM -rem iCCP -rem sRGB -rem alla -rem text +pngcrush = 'pngcrush' +git = 'git' folders = ["src/qt/res/movies", "src/qt/res/icons", "src/qt/res/images"] -basePath = subprocess.check_output("git rev-parse --show-toplevel", shell=True).rstrip('\n') +basePath = subprocess.check_output([git, 'rev-parse', '--show-toplevel']).rstrip('\n') totalSaveBytes = 0 outputArray = [] @@ -19,31 +35,39 @@ for folder in folders: if extension.lower() == '.png': print("optimizing "+file+"..."), file_path = os.path.join(absFolder, file) - fileMetaMap = {'file' : file, 'osize': os.path.getsize(file_path), 'sha256Old' : subprocess.check_output("openssl dgst -sha256 "+file_path, shell=True).rstrip('\n')}; + fileMetaMap = {'file' : file, 'osize': os.path.getsize(file_path), 'sha256Old' : file_hash(file_path)}; + fileMetaMap['contentHashPre'] = content_hash(file_path) pngCrushOutput = "" try: - pngCrushOutput = subprocess.check_output("pngcrush -brute -ow -rem gAMA -rem cHRM -rem iCCP -rem sRGB -rem alla -rem text "+file_path+" >/dev/null 2>&1", shell=True).rstrip('\n') + pngCrushOutput = subprocess.check_output( + [pngcrush, "-brute", "-ow", "-rem", "gAMA", "-rem", "cHRM", "-rem", "iCCP", "-rem", "sRGB", "-rem", "alla", "-rem", "text", file_path], + stderr=subprocess.STDOUT).rstrip('\n') except: print "pngcrush is not installed, aborting..." sys.exit(0) #verify - if "Not a PNG file" in subprocess.check_output("pngcrush -n -v "+file_path+" >/dev/null 2>&1", shell=True): + if "Not a PNG file" in subprocess.check_output([pngcrush, "-n", "-v", file_path], stderr=subprocess.STDOUT): print "PNG file "+file+" is corrupted after crushing, check out pngcursh version" sys.exit(1) - - fileMetaMap['sha256New'] = subprocess.check_output("openssl dgst -sha256 "+file_path, shell=True).rstrip('\n') + fileMetaMap['sha256New'] = file_hash(file_path) + fileMetaMap['contentHashPost'] = content_hash(file_path) + + if fileMetaMap['contentHashPre'] != fileMetaMap['contentHashPost']: + print "Image contents of PNG file "+file+" before and after crushing don't match" + sys.exit(1) + fileMetaMap['psize'] = os.path.getsize(file_path) outputArray.append(fileMetaMap) print("done\n"), print "summary:\n+++++++++++++++++" for fileDict in outputArray: - oldHash = fileDict['sha256Old'].split("= ")[1] - newHash = fileDict['sha256New'].split("= ")[1] + oldHash = fileDict['sha256Old'] + newHash = fileDict['sha256New'] totalSaveBytes += fileDict['osize'] - fileDict['psize'] print fileDict['file']+"\n size diff from: "+str(fileDict['osize'])+" to: "+str(fileDict['psize'])+"\n old sha256: "+oldHash+"\n new sha256: "+newHash+"\n" -print "completed. Total reduction: "+str(totalSaveBytes)+" bytes" \ No newline at end of file +print "completed. Total reduction: "+str(totalSaveBytes)+" bytes"