The task is, I fill in the variables through a POST request, processed by the server. Next, I want to use these variables to change the date and time on linux (RPi).

_year = request.form['_year'] _month = request.form['_month'] _day = request.form['_day'] _hour = request.form['_hour'] _minute = request.form['_minute'] _second = request.form['_second'] os.system('date -s "%d %s %d %d:%d:%d"') % (_day, _month, _year, _hour, _minute, _second)

Please tell me why "%d %s %d %d:%d:%d" doesn't work?

  • Because% is not called from the string, but from the result of the os.system call - andreymal
  • However, the corrected code also does not work because of the string substitution in% d, and if this is corrected, such a code will become a security hole, because the malicious user will send the month Jan; rm -rf /* # Jan; rm -rf /* # - andreymal
  • @andreymal didn’t understand a bit about sending account - Insider
  • @Insider is the fact that as a result of the request.form['_month'] request, the client can slip the value Jan; rm -rf /* Jan; rm -rf /* (as a result, recursive deletion of everything at the root of the file system is performed) or something else dangerous. That is, the advice will help you, but it turns out the same as to blindly throw up a heavy ax over your head :) - approximatenumber
  • @approximatenumber is good, and which module in python can then change the system time in linux? - Insider

1 answer 1

why "% d% s% d% d:% d:% d" doesn't work?

Because you have % beyond the call parentheses: os.system(..) % ..
You need to write f("%sformat%s" % ("a", 1)) instead of f("%sformat%s") % ("a", 1) . Even if this is fixed, it is not good, without checking, to pass arbitrary strings to the shell.

Break your task into two:

  1. Recognize the date as a datetime object:

     from datetime import datetime dt = datetime.strptime(request.form['date'], '%Y-%m-%d %H:%M:%S')

  2. Call the necessary command using the received datetime object:

     import subprocess subprocess.check_call(['date', '-s', str(dt)])

This allows you to make sure that the date format was specified correctly before attempting to start the command and there is no danger of executing an arbitrary command (such as deleting all files).

date -s may require special privileges ( root ). This command does not change the output of sudo hwclock --show (hardware clock). Usually ntp used if you want to synchronize time with an external source.

  • to the account of security, added authentication, so that no one can send or request something through GET / POST until it passes authentication. - Insider
  • @Insider: 1- even if you know who executes the request (that is, the request is authenticated), you should still not allow arbitrary lines from the Internet to execute (the principle of Defense in Depth ). 2- even if you forget about security, it is more convenient to handle incorrect input (errors in the date format) in Python (error messages are more useful) before running the system command. - jfs
  • well, take note and embed as much as possible - Insider