If you want to accept all valid paths and file names and avoid anything unsafe you'd need to do something more complicated like split on the / and check each element individually.

However if you are willing to say, "I don't care about all legal file names", my files will be limited to alphanumeric, underscore, space, dash, slash and dot. (Which seems reasonable). Then remove everything else and eliminate multiple dots.

$file =~ s@[^\w/. -]@@g;
$file =~ s/\.+/./g;
[download]

-monkfish (The Fishy Monk)