This also points to one of Perl 5's great features, taint mode and the -T flag.
The core of the bash problem is that it takes outside data and treats it as code. Perl's -T flag prevents your program from making the same mistake without explicitly untainting the data.
From perlsec:
(With -T enabled), you may not use data derived from outside your program to affect something else outside your program--at least, not by accident. All command line arguments, environment variables, locale information (see perllocale), results of certain system calls ("readdir()", "readlink()", the variable of "shmread()", the messages returned by "msgrcv()", the password, gcos and shell fields returned by the "getpwxxx()" calls), and all
file input are marked as "tainted". Tainted data may not be used directly or indirectly in any command that invokes a sub-shell, nor in any command that modifies files, directories, or processes, with the follow-
ing exceptions: ...
It pains me that so far there are no plans (so far as I know) to carry over taint mode into Perl 6.