system "echo $arg";         # Insecure
           system "/bin/echo", $arg;   # Secure (doesn't use sh)
           system "echo $hid";         # Insecure
           system "echo $data";        # Insecure until PATH set

           $path = $ENV{'PATH'};       # $path now tainted

           $ENV{'PATH'} = '/bin:/usr/bin';
           delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

           $path = $ENV{'PATH'};       # $path now NOT tainted
           system "echo $data";        # Is secure now!
[download]

my system call is:

system "/usr/sbin/useradd $cli";
[download]

I have the following in my script which I had hoped would allow for this command to be used:

## taint environmentals
$ENV{'PATH'} = "/bin:/usr/sbin";
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};

## clean up user's name
$formdata{username} =~ s/ //g;
$formdata{username} =~ s/[^A-Za-z0-9]//g;
$formdata{username} =~ /^([A-Za-z0-9]{1,8}).*$/;
$formdata{username} = $1;

my $cli = "-s $shell -d $home -G $group $formdata{username}";
  $cli =~ /^(\-s \"\/bin\/false\" \-d \"\/home\/clients\/(?:stage\.)?(
+?:[\w\-]+\.)(?:\w{2,3}\.)?(?:\w{2,4})\/[A-Za-z0-9]+\" \-G \"hosting\,
+[\w\-]+\" [A-Za-z0-9]+)$/;
  $cli = $1;

  print "CLI is $cli";

  system("/usr/sbin/useradd $cli");
[download]

I stuck in that  print "CLI is $cli" to see just what I was getting out of it. Sure enough, it is as i expected it to be.
In my situation, that turns out to be:

-s "/bin/false" -d "/home/clients/stage.domain.com/testcjm" -G "hostin
+g,domain" testcjm
[download]

In the course of my testing, I've also untainted the $shell $home $group and $formdata{username} variables.

When I dont use $cli and instead just pass the $formdata{username} variable to the system call, it works. It seems like the problem is only when I pass all the command line flags as part of $cli.

this has become my white whale for the day's chasing.

thanks -c