Me bad! I didn't notice that. In that case,

File::Copy::move($a{from}, $a{to});
[download]

or

system('/bin/mv', $a{from}, $a{to});
[download]

is much safer! He'll might still need to untaint $ENV{PATH} (by setting it to a known value), but there's no shell involved. mv sets the error result, so that can be used instead of capturing the output.