There is generally no direct risk from the content of the file until you try to open it with in a particular application that some mailcious person may have targetted with some carefully crafted file - on windows you might want to take the precaution of either removing the suffix or supplying a (for example) .safe if there is a danger of random people opening the files. I would also alter the sanitizing of the filename to something like:

$filename =~ /([^\/\\]*)$/;
$filename = $1;
[download]

Of course you aren't actually using the name of the file so all of the above doesn't apply to your code.

You might consider setting $CGI::POST_MAX to a sensible value to avoid a DoS through a massive upload and you probably also want to use the -T flag to turn tainting on so you can't do anything silly in the perl program with the user supplied input. Other than that you are safe from any over risks.

/J\