Not really security related per se, but I think that it's wise to set a maximum file size that you'll accept so that someone doesn't try to fill up your disk.

You can do this easily (if you're using CGI.pm) with something like:

# Limit file sizes to 1 MB
use constant MAX_FILE_SIZE => 1_048_576;
$CGI::POST_MAX = MAX_FILE_SIZE;
[download]

You may also want to set a size limit on the directory that is holding the uploaded files. This could be done with something like:

# 100 MB limit on the size of the upload dir
use constant MAX_DIR_SIZE => 100 * 1_048_576;

sub dir_size {
    my $dir      = shift;
    my $dir_size = 0;
    my $file;

    # Loop through files and sum the sizes; doesn't descend down subdi
+rs.
    opendir DIR, $dir or die "Unable to open $dir: $!\n";
    $dir_size += -s "$dir/$file" while defined( $file = readdir DIR );
    closedir DIR;

    return $dir_size;
}

die 'Upload directory is full.'
  if ( dir_size('/path/to/dir') + $ENV{CONTENT_LENGTH} > MAX_DIR_SIZE 
+);
[download]