$CGI::POST_MAX does indeed include the file being uploaded - it's the entire post (a file is just uploaded as a multipart MIME POST, so any attachments are part of the post).

This is mentioned in Ovid's CGI tutorial in Appendix 3, CGI documentation section (see Avoiding DoS attacks).
These are just a reprint of the CGI docs

Hope that helps

Baz.

Update: Fixed some typos, and added a link to the revelant section of Ovid's tutorial.