Don't use whitespace in dir names? Seriously. Although in theory you can escape it with \\ each time you interpolate you 'lose' one level of escape. Why not make your life easy?.

BTW you need some decent error checking on the supplied path. ..\..\WINNT\cmd.exe or ..\..\etc\passwd anyone? There are all manner of variations on this theme. Have a look at the Webserver error logs for the 404 not found with .. %5d and friends. I suggest:

my $full_path = '/some/path'
my $cgi_path = s/\W//g;
my $safe_path = "$full_path/$cgi_path";
[download]

ie only allow the final part of the path to be passed so you can remove anything non alphanumeric. If you need more path to be passed pass it as alphanumeric fragments and build the path safely. You ARE NOT SAFE trying to remove ../ as there are 101 ways to express this ie the %5D hacks that even complex regexes will miss. You need to know exactly how the shell deals with escape chars in the path to know what will happen.

Interesting ... when I took out the code that added escape sequences to whitespace, everything started working!

/me shrugs. Oh well.

alex g.

So long as you're only passing things directly to perl builtins (i.e. you're not calling something externally using system()) spaces shouldn't need to be escaped and if you try and do so you'll cause yourself problems (as you've found out).