Built from 2.1.17 source, works fine on commandline, but not working from CGI wrapper. Traced problem to regular expressions failing to match, specifically in contexts like the following in Render.pm:
my ($f)=/$config{wiki_file_regexp}/; # untaint
It works if I replace it with:
my ($f)=/(^[-[:alnum:]_.:\/+]+$)/; # untaint
which is exactly the same regular expression drawn out as a constant. It appears that %config gets some tainted data and is itself being marked entirely tainted, which may prevent using regular expressions contained in it for untainting other data. I'm using Perl 5.8.8.
without any payload of the actual regexp, and that would also certainly also have the observed effect of the regexps being completely broken while running in CGI mode. This seems to implicate Data::Dumper (2.101). After upgrading Data::Dumper to 2.121 I get:
This would call for at most an installation prerequisite of Data::Dumper >= 1.121. A look at the module's changelog shows that no intervening versions were actually released, so 1.121 would be the minimal good one.