my ($f)=/(^[-[:alnum:]_.:\/+]+$)/; # untaint
which is exactly the same regular expression drawn out as a constant. It appears that %config gets some tainted data and is itself being marked entirely tainted, which may prevent using regular expressions contained in it for untainting other data. I'm using Perl 5.8.8.
+
+> How could `%config` possible get tainted? That would be a major security
+> hole. It seems more likely that perl containes to have taint flag bugs
+> even in 5.8. See also: [[prune_causing_taint_mode_failures]],
+> [[Insecure_dependency_in_mkdir]],
+> [[Insecure_dependency_in_eval_while_running_with_-T_switch.mdwn]],
+> and especially [[debbug 411786]]
+>
+> The last of those was the last straw for me, and I disabled taint
+> checking in the debian package. You can do the same by building ikiwiki
+> with NOTAINT=1. :-( --[[Joey]]
+
+[[tag done]]