Okay, maybe I'm missing something here, so any light shed on this would be great.

If I am not mistaken, you're allowing the user to specify the filename in $basename? Admittedly, File::Basename appears to do a good job of just extracting that name and nothing else. Therefore, specifying a filename of ../etc/passwd probably can't happen. However, I'm wondering if the person sending the data can spoof a different OS which doesn't use / as a path separator, and therefore allow the above path to be used as a filename. Not sure if that's possible or not, but I wouldn't bet against it.

Also, I can't help but wonder if it's vulnerable to the problem documented here. Just having untainted data going to the shell gives me willies.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.