The $file variable which is the second parameter being passed in never gets used anywhere. I don't know if this is because the part of the code using it has been stripped out though.

The $data variable, third parameter passed in, just gets overwritten in the while loop. Again, maybe something important has been stripped from the code that I'm missing.

I don't see how $filename is a symbolic reference. A symbolic reference only occurs when you're using one variable's value to get the name for another variable. The code worked fine for me without the 'no strict' lines.

The danger in this code lies in the open call. open allows some powerful constructs in it, such as piping output to another program, redirecting output, etc. Take a look at perlsec for a detailed description.