The really interesting thing here that I think nobody commented on yet is that this works because taintedness is only computed per-statement, not per-expression. Perl has a flag inside it called tainted. Whenever Perl starts a new statement, it clears the flag. Whenever Perl accesses tainted information, it sets the flag. Whenever Perl performs an 'unsafe' operation, it checks the flag and throws an exception if the flag is set.

This means that if you access tainted information in a statement, and then perform an unsafe operation in the same statement, Perl will throw the exception even when the tainted infotmation couldn't possibly affect the outcome of the unsafe operation, as in your example.

(Why was it done this way? For efficiency and ease of implementation.)

This oddity is used here to test possibly malicious data in conjunction with an unsafe operation, but in such a way that the data can't possibly affect the result of the operation, so that it's safe.

Happy Bicycle Day!