|The stupid question is the question not asked|
I appreciate the words of wisdom, especially from someone so steeped in the dark arts of Win Perl ;~)
Getting down to business though, I think it would just be a matter of blacklisting filenames (not paths) containing things that qualify as a "path root" or a path "separator". After that, what's to stop me from letting the user (try) to push anything into the interface that they want? After all, if it can't be done, Perl itself will be the one to throw the error at the end of the call stack. I'll just kindly return the error... such is my thinking.
Normalization / canonicalization are totally different matters. I'm not sure I even want to attempt that. I'd have first believe it was a useful "feature". Then again, maybe it's been done before and I could use what's already been written. Haven't checked CPAN for that yet.
Bottom line, I think it's doable in the sense that other than the basic aforementioned checks, I would just step back and let Perl make the final decisions on what it will and won't accept, instead of the hand holding and "protections" I currently have in place.
Backing off a bit from the nanny mentality is something I've been considering for some time.
It's terribly late, and I'm rambling. But thanks BrowserUK, you always get me thinking outside the box.
A mistake can be valuable or costly, depending on how faithfully you pursue correction