Anno's solution is just what you need. URI-escaping is used at URI's to reduce the character set a browser needs to understand as input and reduce interpretation problems (with spaces and special characters). Then "boo%20hoo.xls" would generally bring it up a resource with a name like "boo hoo.xls". But if your files have been named after URI-escaping, you need to repeat the process because "%" is special now. That's why you need to URI::Escape again.
That reminded me of an article by Robert Spier (A Canary Trap for URI Escaping) on how they handled the problem of multiply-escaped URIs for the Bitcard sign-on system with the help of "canary traps".