Deep within a module I am using I found this code lurking: # Untaint all ENV variables foreach ( keys %ENV ) { $ENV{$_} =~ m/(.*)/; $ENV{$_} = $1; } So it looks like I'm untainting QUERY_STRING, which would be my problem. Thanks for your help pointing me in the right direction.