http://www.perlmonks.org?node_id=14334


in reply to Tarball Cleaner

You may want to consider adding some checks in here to make sure this can't be exploited. This should use -T and the incomming arguments should be laundered (see Untaint.pm, and perlsec). By laundering the incomming arg, you can make sure that the incomming file has a .tar/.gz extention, and ends there. You wouldn't want someone passing an arg of 'foo.tar.gz; echo <badness> > trojan' or 'foo.tar.gz; rm -rf ./'
I know it isn't a CGI, but making it somewhat safe is a good idea.

Just a thought.

Cheers,
KM