If you know you trust your input file you should be able to make all data comeing from the file be trusted. You can do this with IO::Handle's untaint method:

use IO::Handle;

# ...
F->untaint == 0 or die "Untainting filehandle failed: $!\n";
# ...
[download]

As the IO::Handle's docs say, this is a very trusting action to take and should only be done if you can really trust what you are untainting.

You could, of course, take another route of actually untainting the $tmpl variable:

($tmpl) = $tmpl =~ /(.*)/s;
[download]