Assuming that you have a normal user account and the webserver runs as someone else, your best bet is to make the directory the script is saving files in sticky (1777 or 1733). You also want this dir to be something other than the current dir, and to be somewhere where CGI/shtml/php/other dynamic content can't be run - you don't want someone uploading arbitrary programs, and I suspect some server-interpreted dynamic formats may well be runnable even when not executable.

Also, the regexp should constrain filenames to safe characters (something like =~/^.*?(a-zA-Z0-9.+)$/ will work - the current one won't strip MacOS paths (Volume:Folder:File), and will pass various things that could, depending on filesystem and what you use to view the directory, range from mildly annoying to security risks.)

And open(FILE,">filename"); will follow symlinks and overwrite existing files. sysopen() with O_CREAT|O_EXCL (and O_NOFOLLOW if your OS supports/needs it) is safer.