No. Don't use anything that starts with HTTP_ directly in a file path. Extract the information into an untainted variable.

This is why I recommend that all CGI programs run with -T (enabling taint mode)... to keep you from making stupid dangerous mistakes like this without deliberately trying to get around it.

-- Randal L. Schwartz, Perl hacker