I think taint mode actually protects us in this case, but we should ensure extra measures. See also: https://httpoxy.org/
We don't use $ua->env_proxy anyway, but even if we did: https://metacpan.org/pod/LWP::UserAgent#ua-env_proxy > On systems with case insensitive environment variables there exists a name clash between > the CGI environment variables and the HTTP_PROXY environment variable normally picked up by env_proxy(). > Because of this HTTP_PROXY is not honored for CGI scripts. > The CGI_HTTP_PROXY environment variable can be used instead. That said, I welcome an excuse to sanitize %ENV and force all code to use the $cgi object (so that we can eventually replace it with a Plack::Request object)
perl's libraries have been immune to this since 2001.