I far prefer the tried and true:

use CGI qw(:standard);
# Time passes
open(IN, param("input_file"));
# and do the rest of the apparently innocuous program
[download]

The proper usage of this handy command runner I leave to your imagination, a close read of open's semantics, and a reminder that if you know how to do a URI encoding, you can put pipes etc into the filename.

Yes. This is a warning about a basic security mistake that you may be making without realizing it...