# Read (malicious) filename from user, over the web:
$filename = "/etc/passwd\0.jpg";

# Verify it's a .jpg file:
$filename =~ /\.jpg$/ or return;

# Verify it exists:
-f $filename or return;

# Output the file to the user:
send_file( $filename );