This has been noted in these here parts before, and I recommend looking at that link for the details, as well as perlsec for all the usual reasons. Basically, it looks like Cwd has tainted data, and this is passed onto File::Find, which uses it interally), and thus, you get it.

There is, it seems, a way to turn tainting off for File::Find (at least newer versions), but that's an "at your own risk" deal. Look at the node above for details -- merlyn states it much better than I can.

----Asim, known to some as Woodrow.