sub get_userfile
{
    my ( $config, $username ) = ( shift, shift );

# add only this line: still tainted
# ( $config->{ users } ) = ( $config->{ users } =~ /^(.+)$/ );

# add only this line: untainted
# ( $username ) = ( $username =~ /^(.+)$/ );

    $config->{ users } . $username;
}