in reply to glob
Running a test I find that readdir() doesn't return tainted data so 5.6's glob()s (there are choices of several now) shouldn't either (or readdir() is also broken) since they just do readdir() and return a subset of the values.
I would certainly understand claiming that both readdir() and new glob()s should return tainted data (I could also understand automatically untainting any file names that don't contain unusual characters).
Note also that just trying to do a glob() prior to 5.6 should fail if running in taint mode as doing the glob() is just opening up a huge list of security holes. ):
(but my friends call me "Tye")