

Listing 3 - /opt/sysadmin/unsecure_du - Sample CGI script without secure argument filtering.

#!/bin/csh
#
# The following is an example of a simple CGI program
# requiring a security wrapper to check user input.
#
echo 'Content-type: text/html'
echo ''
echo '<HTML><HEAD>'
echo "<TITLE> Show Largest Directories in $argv </TITLE>"
echo '<ISINDEX>'
echo '</HEAD></BODY>'
echo '<PRE>'
foreach directory (`echo $argv`)
   echo "Size of files in ${directory}:"
   /bin/du -sk ${directory}/* | sort -nr | \
      /usr/bin/awk '{printf("%-9s<A HREF=/cgi-bin/du?%s>%s</A>\n",$1,$2,$2)}'
   echo ''
end
echo '</PRE>'
echo '</BODY></HTML>'

