This really looks like a perl bug to me:
use use Scalar::Util qw(tainted);
print "\$base is ",tainted($base) ? "" : "not ","tainted\n";
my $url = "$base/index.html";
print "\$url is ",tainted($url) ? "" : "not ","tainted\n";
print get($url);
___OUTPUT___
$base is not tainted
$url is not tainted
Insecure dependency in connect while running with -T switch at /usr/li
+b/perl/5.8/IO/Socket.pm line 114.
While it works if you set $base to some hard-coded value...
Update:
I also upgraded (from 5.8.0 to 5.8.3) so can anyone confirm if this also happens with a "clean" perl 5.8.3 + install ?