See the CGI modle documentation.

To be safe, use the upload() function (new in version 2.47). When called with the name of an upload field, upload() returns a filehandle, or undef if the parameter is not a valid filehandle.

$fh = $query->upload('uploaded_file');
[download]