Do you have any error/warning messages in your web server's log files? They are worth checking.

I think you have some problems with taint mode, because the following code does not untaint the variable, your $untainted_filename is still tainted.

    if ($filename =~ /\w+.\w+$/) {
        $filename =~ s|.*\\||;
        $untainted_filename = $filename;
[download]

A (maybe not the best, but pretty good, first google result ;) tutorial on taint mode and how to capture the regexp match to create the new variable: