The heart may be in the wrong place, but trusting HTTP_REFERER for a validity check is not the right solution.

Also if you are trusting user input to name a file, what if the user names a "file" (with proper encoding of course) something like | rm -rf /?