An injection attack occurs when data is treated as code, possibly due to improper escaping.
It can occur in SQL statements.
It can occur in shell command lines.
It can occur in evaled strings.
It can occur in HTML (known as Cross-Site Scripting)
etc.

What if $file holds "| rm -rf /"? It's even a perfectly valid path, so it's not a validation issue.

Update: Added links. Refined definition.

I guess the assumption here is that the script is executing with higher privs than the user supplying the arguments? If that's the case, then that's what I was missing. Otherwise, there's nothing to stop the user from just typing "rm -rf /".

In any case, thank you kindly for the explanation. Much appreciated.

-- 
Human history becomes more and more a race between education and catastrophe. -- HG Wells

I guess the assumption here is that the script is executing with higher privs than the user supplying the arguments?

Not necessarily. Imagine this simple backup script.

my @to_backup = File::Find::Rule->file()
                                ->...
                                ->in('.')

for my $file_qn (@to_backup) {
   open(my $backup, "backup $file_qn |")
      or die;

   ...
}
[download]

By running the above, you'd be running commands outside of the script's control, even if there's no intent (malevolent or otherwise) to do so. Fix:

my @to_backup = File::Find::Rule->file()
                                ->...
                                ->in('.')

for my $file_qn (@to_backup) {
   open(my $backup, '-|', 'backup', $file_qn)
      or die;

   ...
}
[download]