You have a possible security hole here.

my $filename = "
../../asdf";
$filename =~ s/^.*[\\\/:]//;
print $filename;
[download]

In other words, someone can submit a form with the filename containing a newline and possibly have some fun. I've not played around with tha too much, but it's worth considering. Instead, try a variant of:

my $_filename = $p->param('filename') || '';
my ($filename) = $_filename =~ /(\w+)$/; # only use word characters fr
+om the end
[download]

Also, have you double-checked that the form in question used multipart-formdata encoding (or however you spell it)?