|laziness, impatience, and hubris|
Fastolfe: you need to check for failure on your regex. Currently, if it fails and if there was a value already in $1, it will be passed to $secure. That could be disastrous. If a cracker gets your code and figures out how to pass "../../../bin/some_executable" into the previous backreference, you're back to the original problem.
Also, if the filename has a period delimited extension (and many of them do), your regex won't work (e.g. "somefile.txt").
That's what I get for reading his code too fast :(
Join the Perlmonks Setiathome Group or just go the the link and check out our stats.
In reply to (Ovid - Duking it out over security) RE(3): Warning our Fellow Monks