This appears to be a problem with the File::Path module itself. Not your test program. Somehow within File::Path one of the variables gets insecure (untainted right?). I added the following to the module but I need someone elses opinion to make sure that the change I made isn't seriously dangerous. I added the line:

($root) = $root =~ m!^([\w\d\-_/\.]+)$!;
[download]

to the module between the lines 208 and 209 and before line 239. After this was added the test code worked fine.

BMaximus

Update: Small diff made to make things easy

208a209,211
>           
>           ($root) = $root =~ m!^(\w\d\-_/\.+)$!;
> 
232a236,238
> 
>               ($root) = $root =~ m!^(\w\d\-_/\.+)$!;
>