I don't know if there is a way for someone to potentially abuse this. What is a workaround? I do not want someone to be able to abuse my server by downloading content this way.
There is an option to re-email a shipping label. I basically have it setup so there is no database work besides the preparation of the page. The only other method I can think of is to have the post variable the ID of the row and then pull the file name from there.
So, is it unsafe to have a filename as a post variable (that could potentially be tampered with)?
It's only unsafe if you're going to do something like readfile() or include() on it.
Using the row ID would be better, but even with this you still need to consider if the user should be allowed to access the file (to avoid random id=1 id=2 id=3 testing).
You should never trust incoming data. POST requests can be abused as well as GET requests, so in the worst case your website could be a mean of XSS attacks, or could be used as a spamming node.
The thing to do is sending, apart from filename or entry ID, some hash, and then checking whether these two match, i.e. is the entry associated with this hash. Therefore simply trying different IDs will not work, since abuser would have to guess proper hash as well. A word of advice: hash not only id, or filename, but time of sending e-mail and some salt as well.