Show HN: PDF Inverter for macOS (In Golang) Darken Your PDFs (opens in new tab)

And written to be less readable with e.g.:

    return bytes.ReplaceAll(script, []byte{0x09}, []byte{0x20, 0x20, 0x20, 0x20})

instead of

    bytes.ReplaceAll(script, []byte("\t"), []byte("    "))

Skimming through the code, there's a lot of other pretty basic mistakes.

The most egregious is that the use of a python script has a security issue. Let's see if you can spot it, it's in these lines:

    tmp := fmt.Sprintf("/var/tmp/invertpdf--%s/", time.Now().Format("20060102150405"))
    os.Mkdir(tmp, 0700)
    WriteText(tmp+"pngtopdf.py", GetPDFConv())
    // later execute that .py file

So, what's the issue? Well, using a predictable temporary directory and then not checking for an error in `mkdir` means that an attacker can easily create that directory before you do (especially since it's a predictable name based on the time), and then write their own python script. That lets another user on your machine run arbitrary code as your user.

"But", you might say, "WriteText does an os.Exit if it can't write the file". That doesn't matter. If i create the directory with permissions 777, and then have a program waiting for the python script to be written in order to replace it with a malicious script, Mkdir will error (dir already exists), but WriteText will succeed, and so the vulnerability still happens.

This is the sort of dumb vulnerability you get if you don't know that `ioutil.TempDir` exists (or don't know about symlink races, tmpdir races, etc). `ioutil.TempDir("/var/tmp", "invertpdf-")` would be the more secure way to do this, though obviously you still should check that error too.

There's a lot of other problems with this program, but this vulnerability is the most obvious.

But using boring Python only, you are unable to add fancy Go mention to the submission's title!

Using Go to wrap a Python script that is mostly just a wrapper for some macOS APIs.

It may be possible to replace the dependency on the python script by using objective c to call the required libraries, then expose a c API that can be called from the go application. E.g. https://gist.github.com/porty/6b94f7f908ed7af0f070 https://github.com/caseymrm/menuet

That said, I've seen messier things than python-in-go shipped and used reliably in production to solve business problems.

Zathura also exists on macOS..

You can also do it in Okular.

yep, seems to be built right into gnome on Ubuntu https://imgur.com/a/CA6zoWf

mupdf also supports this.

Hmm, for me, following works with Google Chrome PDF viewer:

Bookmarklet

javascript:(function() { var v = document.getElementsByTagName("html"); v[0].style.background = "white"; v[0].style.filter = "invert(90%) sepia(60%) brightness(70%)"; v[0].style.backgroundColor = "black"; document.getElementsByTagName("body")[0].style.background = "white"; })();

That does not work with the Chrome PDF viewer for me. (Chrome 87, Mac)

Didn't work for me. I'm using Brave.

Why would that be a feature of an application? That’s an OS function (https://www.apple.com/accessibility/mac/vision/)

I like dark reader too, with the most gpu intensive mode and sepia it makes for some really good dark modes for most websites. And I’ve built dark mode css off of it as an inspiration.

Edit: the "Dynamic" (GPU) mode doesn't work on all sites. On HN I'll use Filter+ with the settings -20 brightness, contrast off, sepia +30, grayscale off.

While on Github I'll do -5, 0, +30, 0. Mainly just tweaking the brightness while having Sepia on most sites.

Didn’t the getpolarized spam used to come from a different account?