It's worse:

Even if I explicitely untaint the variables, I run into trouble:


Lateron I do call a IPaddr.new with that (untainted) values, but again
get an error message:

invalid address
/usr/lib/ruby/1.8/ipaddr.rb:422:in `initialize'


The reason is that /usr/lib/ruby/1.8/ipaddr.rb:412 applies a regular
expression again, then the value gets tainted again, and 
IPSocket.getaddress(prefix) in /usr/lib/ruby/1.8/ipaddr.rb:422 fails.


There must be some problem with tainting in regular expressions...

regards
Hadmut