It seems that despite the length of my post I still managed to leave out some pertinent information. Sorry! I use untaint_path() to check several filenames not just $^X. It just happens that this is the first test that encountered a weird path. So the question still stands even if $^X is safe.
On that topic, I am using the value of $^X in a qx// call. On Linux at least, if I don't untaint it, I get a nastygram about "insecure dependency." Should perl be a little smarter here?
As for the regexps themselves, I am embarrassed to say I
just copied them from existing code. Now I will use the ones from File::Basename as cdarke suggested.
Thank you for your help.