It is acceptable to use the uploaded file name if the input is validated sufficiently. First is removing characters that could cause problems for the shell. This will prevent attacks against the shell and also help with giving file names that don't encoding or special processing. Also good is using the three argument form of open.

my $path = File::Spec->catfile($dir, $file);
open(OUT, '>', $path) or die;
[download]

Another check is to remove any directory components. This prevents writing to files elsewhere on the filesystem. It guarantees that the files go in the right directory.

It is a good idea to separate uploaded files into their own directory. If there is some authentication to control who can upload, then overriding an existing file isn't a security hole.