As a general rule of thumb, I would not let users choose the filename of files they upload.

my $file = param("file");
my @file_name = split(/\\/,$file);
my $file_name = pop(@file_name);
[download]

What happens if the filename is .htaccess? I'm not really up on my un*x type environments, but I imagine that this could cause you heartaches.

Also, since your shebang line (#!/usr/bin/perl -w) suggests that you are on a un*x type system, shouldn't your slashes be the other way? Consider the following:

my $file ='../../bin/ls|';
my @file_name = split(/\\/,$file);
my $file_name = pop(@file_name);
print $file_name;
[download]

That prints "../../bin/ls|" as the filename. With the reverse directory traversal, this should allow them to back up to the /bin directory and with the trailing pipe, run commands on the server. Again, I'm am not as familiar with non-Windows environments, but this doesn't look terribly secure to me.

Of course, you also want taint checking. Read perlsec for details. Plus, my online CGI course has a bit of information about security that you may find useful.

If I have my CPU up my exhaust port, please let me know.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.