my $remote = $ENV{REMOTE_ADDR};
return(0) unless grep /$remote/, @$hosts;
[download]

No, because the point is that you're using a regex where you want an exact match, and it's not anchored either!

This is better:

my $remote = $ENV{REMOTE_ADDR};
return 0 unless grep $remote eq $_, @$hosts;
[download]

wouldn't taint have caught this? He's trusting user supplied data (DNS name) in an unsafe way.

No, because simply doing a regex match isn't considered "external" enough for tainted data to abort it.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.