Perhaps my choice of language was unclear - by 'wipe the whole %ENV hash' I meant localize the hash and set explicit values prior to shelling out. Perl is vulnerable to Shellshock because an environmental variable makes a side run and it's not in the set that Perl considers dangerous for an external call. In the perlsec docs, the only recommendations are regarding 5 specific variables which are the 5 that taint considers dangerous (please correct me if I'm mistaken). It seems like this issue might warrant increasing the scope of taint to consider any tainted value in %ENV dangerous to the shell (thus breaking billions of scripts worldwide....)
#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.