Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate cover [a.k.a. thumbnail/poster] for video manually uploaded #196

Merged
merged 13 commits into from
Jun 21, 2024
+17 −5
Merged

Generate cover [a.k.a. thumbnail/poster] for video manually uploaded #196

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
d81458a
Generate cover for video manually updated
deldesir Jun 20, 2024
0416359
Enhance frame selection
deldesir Jun 20, 2024
9ef5a1d
Add explanatory comments
deldesir Jun 20, 2024
f8c39f2
Sanitize input and output path
deldesir Jun 20, 2024
46f0e6c
Set ffmpeg failure as error
deldesir Jun 20, 2024
2bdd296
Enhance cover/poster generation
deldesir Jun 21, 2024
3379ee8
Add explanatory comments back
deldesir Jun 21, 2024
3a965f8
uploader.py: Just a warning about shlex.quote() risks
holta Jun 21, 2024
90f0b50
Remove unnecessary sanitizing function
deldesir Jun 21, 2024
cbaad2b
Preserve shlex for future use of sanitize_path, even if commented out (:
holta Jun 21, 2024
e7d9636
use subprocess directly
deldesir Jun 21, 2024
686d6a3
Remove subprocess import
deldesir Jun 21, 2024
10296a7
Import subprocess
deldesir Jun 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 17 additions & 5 deletions cps/uploader.py
View file
Open in desktop
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the same video
image

Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,10 @@
import datetime
import os
import hashlib
import subprocess
# import shlex
import shutil
import sqlite3
from subprocess import run
from flask_babel import gettext as _

from . import logger, comic, isoLanguages
Expand Down Expand Up @@ -304,6 +305,7 @@ def video_metadata(tmp_file_path, original_file_name, original_file_extension):
else:
log.warning('Cannot find the xklb database, using default metadata')
else:
generate_video_cover(tmp_file_path)
meta = BookMeta(
file_path=tmp_file_path,
extension=original_file_extension,
Expand All @@ -320,22 +322,32 @@ def video_metadata(tmp_file_path, original_file_name, original_file_extension):
identifiers=[])
return meta

# Yes shlex.quote() can help! But flags/options/switchs can still be dangerous:
# https://stackoverflow.com/questions/49573852/is-python3-shlex-quote-safe
# def sanitize_path(path):
# """Sanitize the file path to prevent command injection."""
# return shlex.quote(path)

def generate_video_cover(tmp_file_path):
ffmpeg_executable = os.getenv('FFMPEG_PATH', 'ffmpeg')
ffmpeg_output_file = os.path.splitext(tmp_file_path)[0] + '.cover.jpg'

ffmpeg_args = [
ffmpeg_executable,
'-i', tmp_file_path,
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Defensive programming reminder: Sanitize the file path to prevent command injection

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll use shlex for now. Should be safe on POSIX compliant shells. (Done in f8c39f2)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a general warning that shlex.quote() is not bulletproof:

3a965f8

(Though it's probably good enough for path sanitizing!)

'-vframes', '1',
'-y', ffmpeg_output_file
'-vf', 'fps=1,thumbnail,select=gt(scene\,0.1),scale=-1:720', # apply filters to avoid black frames and scale
'-frames:v', '1', # extract only one frame
'-vsync', 'vfr', # variable frame rate
'-y', # overwrite output file if it exists
ffmpeg_output_file
]

try:
ffmpeg_result = run(ffmpeg_args, capture_output=True, check=True)
ffmpeg_result = subprocess.run(ffmpeg_args, capture_output=True, check=True)
log.debug(f"ffmpeg output: {ffmpeg_result.stdout}")

except Exception as e:
log.warning(f"ffmpeg failed: {e}")
log.error(f"ffmpeg failed: {e}")
return None

def image_metadata(tmp_file_path, original_file_name, original_file_extension):
Expand Down