contrib: improve optimize-pngs.py

- Check that image contents match pre- and post- crushing.
- Also remove use of external tool to compute sha256 in favor of hashlib.
- contrib: remove all use of shell=True in strip_pngs.py
  Using `shell=True` can be a security hazard. See e.g.
  https://docs.python.org/2/library/subprocess.html#subprocess.check_output
This commit is contained in:
Wladimir J. van der Laan 2015-01-14 13:49:43 +01:00
parent 42f6a0c2b9
commit 905711f0a1

View file

@ -3,12 +3,28 @@
import os
import sys
import subprocess
import hashlib
from PIL import Image
def file_hash(filename):
'''Return hash of raw file contents'''
with open(filename, 'rb') as f:
return hashlib.sha256(f.read()).hexdigest()
def content_hash(filename):
'''Return hash of RGBA contents of image'''
i = Image.open(filename)
i = i.convert('RGBA')
data = i.tostring()
return hashlib.sha256(data).hexdigest()
#optimize png, remove various color profiles, remove ancillary chunks (alla) and text chunks (text)
#pngcrush -brute -ow -rem gAMA -rem cHRM -rem iCCP -rem sRGB -rem alla -rem text
pngcrush = 'pngcrush'
git = 'git'
folders = ["src/qt/res/movies", "src/qt/res/icons", "src/qt/res/images"]
basePath = subprocess.check_output("git rev-parse --show-toplevel", shell=True).rstrip('\n')
basePath = subprocess.check_output([git, 'rev-parse', '--show-toplevel']).rstrip('\n')
totalSaveBytes = 0
outputArray = []
@ -19,30 +35,38 @@ for folder in folders:
if extension.lower() == '.png':
print("optimizing "+file+"..."),
file_path = os.path.join(absFolder, file)
fileMetaMap = {'file' : file, 'osize': os.path.getsize(file_path), 'sha256Old' : subprocess.check_output("openssl dgst -sha256 "+file_path, shell=True).rstrip('\n')};
fileMetaMap = {'file' : file, 'osize': os.path.getsize(file_path), 'sha256Old' : file_hash(file_path)};
fileMetaMap['contentHashPre'] = content_hash(file_path)
pngCrushOutput = ""
try:
pngCrushOutput = subprocess.check_output("pngcrush -brute -ow -rem gAMA -rem cHRM -rem iCCP -rem sRGB -rem alla -rem text "+file_path+" >/dev/null 2>&1", shell=True).rstrip('\n')
pngCrushOutput = subprocess.check_output(
[pngcrush, "-brute", "-ow", "-rem", "gAMA", "-rem", "cHRM", "-rem", "iCCP", "-rem", "sRGB", "-rem", "alla", "-rem", "text", file_path],
stderr=subprocess.STDOUT).rstrip('\n')
except:
print "pngcrush is not installed, aborting..."
sys.exit(0)
#verify
if "Not a PNG file" in subprocess.check_output("pngcrush -n -v "+file_path+" >/dev/null 2>&1", shell=True):
if "Not a PNG file" in subprocess.check_output([pngcrush, "-n", "-v", file_path], stderr=subprocess.STDOUT):
print "PNG file "+file+" is corrupted after crushing, check out pngcursh version"
sys.exit(1)
fileMetaMap['sha256New'] = file_hash(file_path)
fileMetaMap['contentHashPost'] = content_hash(file_path)
if fileMetaMap['contentHashPre'] != fileMetaMap['contentHashPost']:
print "Image contents of PNG file "+file+" before and after crushing don't match"
sys.exit(1)
fileMetaMap['sha256New'] = subprocess.check_output("openssl dgst -sha256 "+file_path, shell=True).rstrip('\n')
fileMetaMap['psize'] = os.path.getsize(file_path)
outputArray.append(fileMetaMap)
print("done\n"),
print "summary:\n+++++++++++++++++"
for fileDict in outputArray:
oldHash = fileDict['sha256Old'].split("= ")[1]
newHash = fileDict['sha256New'].split("= ")[1]
oldHash = fileDict['sha256Old']
newHash = fileDict['sha256New']
totalSaveBytes += fileDict['osize'] - fileDict['psize']
print fileDict['file']+"\n size diff from: "+str(fileDict['osize'])+" to: "+str(fileDict['psize'])+"\n old sha256: "+oldHash+"\n new sha256: "+newHash+"\n"