That is why the code is:

open FILE, "$filepath/$filename";

# so provided we hard code $filepath....
my $filepath = '/usr/somewhere';

# and untaint $filename ensuring there are no ../ etc, in it
my $filename = $q->param('filename') || '';
my ($filename) = $filename =~ m/^([\w.-]+)\z/;

# then this is quite safe...
open FILE, "$filepath/$filename" or die $!;
[download]

As you rightly point out open FILE, $file where the user supplies $file and it is not untainted is dangerous as hell, see this for why

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print