$ perl -Te'
    my $fn = $ARGV[0];
    ($fn) = $fn =~ /^([a-zA-Z0-9]{1,8}\.txt)\z/ or die;
    open(my $fh, ">", $fn) or die;
    printf $fh "%s\n", "foo";
' foo.txt

$ cat foo.txt
foo
[download]

Update: Oops, missed the bit about writing tainted info, but it makes no difference

$ perl -Te'
    my $fn = $ARGV[0];
    ($fn) = $fn =~ /^([a-zA-Z0-9]{1,8}\.txt)\z/
        or die;
    open(my $fh, ">", $fn) or die;
    printf $fh "%s\n", $ARGV[0];
' foo.txt

$ cat foo.txt
foo.txt

$ perl -Te'
    my $fn = $ARGV[0];
    ($fn) = $fn =~ /^([a-zA-Z0-9]{1,8}\.txt)\z/
        or die;
    open(my $fh, ">", $fn) or die;
    print $fh $ARGV[0];
    print $fh "\n";
' foo.txt

$ cat foo.txt
foo.txt
[download]

The following code exhibits the trouble.

#!/usr/bin/perl -wT
use strict
my $tainteddata = $ARGV[0];
my ($untainteddata) = $tainteddata =~ /^([\w]+)$/;
open(my $fh, ">", $untainteddata) or die;
printf $fh <<EOMEOM;
removing the next line of output allows the script to work
the tainted data: $tainteddata
script works with or without the following line
the untainted data: $untainteddata
EOMEOM
close ($fh);
exit;
[download]

In trying other solutions, I've determined that the here document appears to be the culprit. The following code works fine.

#!/usr/bin/perl -wT
use strict;
my $tainteddata = $ARGV[0];
my ($untainteddata) = $tainteddata =~ /^([\w]+)$/;
open(my $fh, ">", $untainteddata) or die;
printf $fh $tainteddata, "\n";
close ($fh);
exit;
[download]

This is curious to me. Why the different behavior for here documents? Original version of perl was 5.8.9, now 5.10.1.

Your problem can be demonstrated using

perl -Te'printf $ARGV[0]' foo
[download]

The first argument of printf (optional fh aside) is the format pattern. It makes sense to require the pattern to be trusted. Consider %n, for example.

printf $fh <<EOMEOM;
should be
printf $fh "%s", <<EOMEOM;
or simply
print $fh <<EOMEOM;

Your code is buggy, and 5.10 catches your bug.

perldoc perl595delta says

When perl is run under taint mode, printf() and sprintf() will now reject any tainted format argument.

I will try to cut the code down to the smallest instance where the problem still occurs and repost in a bit. Essentially the problem is this:

• using perl 5.8
• code working with taint mode turned on, file name comes from user, untainted by code and tainted information written to file successfully.
• upgrade to 5.10
• code now broken with 'insecure dependency...' error
• only way to fix is to untaint the information written to the file. Nothing else changed.
I pass a file handle and the tainted information to a subroutine that does the output. I don't know if that makes a difference. Back in a bit with code sample.

The above does exactly what you said except it gives no error with 5.10.0.

See 827882;