open FILE, "$filepath/$filename";
# so provided we hard code $filepath....
my $filepath = '/usr/somewhere';
# and untaint $filename ensuring there are no ../ etc, in it
my $filename = $q->param('filename') || '';
my ($filename) = $filename =~ m/^([\w.-]+)\z/;
# then this is quite safe...
open FILE, "$filepath/$filename" or die $!;
As you rightly point out open FILE, $file where the user supplies $file and it is not untainted is dangerous as hell, see this for why
cheers
tachyon
s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print
|