I may be missing the point altogether, but you might not want to have the path listed at all. Instead, put in a cgi script that takes the web dir path and returns the image from the real path. That is, the URL
http://mysite.com/cgi-bin/get-image/image1.jpg
would execute the cgi-bin script "get-image" w/ a PATH_INFO (?) env var ($ENV{PATH_INFO in your script) of "/image1.jpg". At that point, get-image can do any sort of security/un-tainting (e.g.

my $path-info = $ENV{PATH_INFO}
my $path = "/home/usrs/rjoseph/images";
$path-info =~ s/^[^/]// # strip of preceeding noise
$path-info =~ s#[^/\w\.]//g  # strip out any non-word dot chars
[download]

and then say:

my $file_path = "$path/$path-info";
if ( -s $file_path ) {
  open(FILE, $file_path) or die ...
[download]

So if you're writing back URLs to your web users, you can do:

foreach my $file ( @image_list ) {
  $file =~ s#$path##;    # remove the physical path part
  my $file_name = $file;
  $file_name = s/\.\w+$//;  # strip off extension
  print "<a href=\"http://mysite.com/cgi-bin/get-image/$file">Image: $
+file_name</a>";
}
[download]

where @image_list has your real file names in it. You may want to take a look at CGI.pm file upload freaking me out

a