First, that is buggy. If there are 3 files that matches the pattern and only two can be deleted, you won't get an error. The problem should have been obvious to you when you found you were unable to specify which file couldn't be deleted. Fix:

for (glob ("$upload_dir/$in{'imgid'}.*")) {
   unlink($_)
      or die("Can't delete file $_: $!\n");
}
[download]

Does a way exist to satisfy the taint check on a wild card such as

To delete the contents of a path, all you have to do is make sure the path is correct.

use Scalar::Util qw( tainted );

die("Tainted") if tainted($upload_dir) || tainted($in{'imgid'});

for (glob ("$upload_dir/$in{'imgid'}.*")) {
   unlink(/(.*)/s)
      or die("Can't delete file $_: $!\n");
}
[download]

It's not the wildcard (.*) that makes the expression tainted, but rather what's in $upload_dir and/or $in{'imgid'} (if they originate from program-external input), so you need to untaint those. update: actually, it's the glob itself that, too, returns tainted data (with or without '*').

See perlsec for how to do it.

You are mistaken.

$ perl -MScalar::Util=tainted -TE'say tainted($_) for glob "*"'
1
1
1
1
[download]

glob is a source of external input when "*" is used. Same goes for readdir.

$ perl -MScalar::Util=tainted -TE'opendir(my $dh, "."); say tainted($_
+) for readdir($dh)'
1
1
1
1
1
1
[download]

glob is a source of external input when "*" is used.

You're right. A quick test shows, though, that it doesn't matter whether there's a '*' in the glob expression or not:

$ perl -MScalar::Util=tainted -TE'say tainted($_) for glob "foo"'
1
[download]

I tried to untaint $upload_dir and/or $in{'imgid'} and it did not work . I will have to read up on it more Thanks
-X-

How did you try to untaint those values, and how did you determine that it did not work?

If you show the code you've tried, we might see what was wrong with it...