Ah, I guess this makes a little more sense.
Still, I might suggest that you use HTTP authentication to do something like that. That way you can use the same standard URL, but allow the HTTP authentication to determine who gets access to it.
Saving that, it looks like the technique you describe should work for you. I might extend it to put the filename in the "path_info" variable for your script.
use CGI ':standard';
use File::Spec 'rel2abs';
my $base = '/www';
my $filename = rel2abs(path_info, $base);
if ($filename =~ /^\Q$base/ && open(F, "< $filename\0") && -f F) {
print "Content-type: application/pdf\n"; # or whatever
print "Content-length: ", -s F, "\n\n";
print while <F>;
close(F);
} else {
# handle errors, perhaps do a Status: 403 or 404
# along with a nice description, using $! if you want
}
Then you can call your script like this:
http://www.example.com/cgi-bin/script.pl/path/filename.pdf
Which will end up retrieving
/www/path/filename.pdf, if it exists. Otherwise presumably you'd want to send a 404 status, for example. This would allow you to use "real"-looking URL's while pumping it through your CGI anyway.