update: I was being a retard.. The session id and the session directory on server needed to be untainted, not for reading, but for writing. duh. so.. I added this:

#......y $DMS = load_nouser(conf=>'/srv/www/htdocs-devel/dms/conf/dms.
+conf');

#init cgi
my $cgi = new CGI;
for ($cgi->param()){    /^session$|^user_file$/ or die("bad field"); }
+ # some minor checking .. make sure no extraneous data send

$$DMS{S}{session} = $cgi->param('session'); $$DMS{S}{session}=~m/^\w{3
+2}$/ or die("no sid [$$DMS{S}{session}] or not 32 word chars");

#################################################################
# I WAS BEING A RETARD: these needed to be untainted... :)
if ($$DMS{S}{session}=~m/(^\w+$)/){
    $$DMS{S}{session}=$1;
} else {die $!;}

if ($$DMS{CONF}{SESSIONS_DIR}=~m/^([\/\w -]+)$/){
    $$DMS{CONF}{SESSIONS_DIR}=$1;
} else {die $!;}
##############################################################

# you dont need to untaint to read, but to write, yes, to the session 
+file
$$DMS{s} = new CGI::Session("driver:File",$$DMS{S}{session},{ Director
+y=> $$DMS{CONF}{SESSIONS_DIR} });
$ENV{REMOTE_ADDR} or die ('no ip');
$ENV{REMOTE_ADDR} eq $$DMS{s}->param('_SESSION_REMOTE_ADDR') or die("b
+ad ip");
# ......
[download]

Now it's happy :).