Relative paths allowed from user input is usually a HUGE warning sign. Are you sure I can't make it open arbitrary files? What happens to your cgi script if it reads a file in the wrong format?