CVE-2020-36829

@@ -2,7 +2,6 @@ package Mojolicious::Command::Author::generate::dockerfile;
 use Mojo::Base 'Mojolicious::Command';
 
 use Mojo::File qw(path);
-use Mojo::JSON qw(encode_json);
 
 has description => 'Generate "Dockerfile"';
 has usage       => sub { shift->extract_usage };
@@ -11,7 +10,7 @@ sub run {
   my $self = shift;
   my $name = $self->app->moniker;
   my $exe  = $ENV{MOJO_EXE} ? path($ENV{MOJO_EXE})->to_rel($self->app->home)->to_string : "script/$name";
-  $self->render_to_rel_file('dockerfile', 'Dockerfile', {name => $name, cmd => encode_json ["./$exe", 'prefork']});
+  $self->render_to_rel_file('dockerfile', 'Dockerfile', {name => $name, cmd => "./$exe prefork"});
 }
 
 1;

@@ -248,7 +248,7 @@ And then we are going to need a C<Dockerfile> describing the container. A very s
   COPY . .
   RUN cpanm --installdeps -n .
   EXPOSE 3000
-  CMD ["./myapp.pl","prefork"]
+  CMD ./myapp.pl prefork
 
 It uses the latest L<Perl container|https://hub.docker.com/_/perl> from Docker Hub, copies all the contents of your
 application directory into the container, installs CPAN dependencies with L<App::cpanminus>, and then starts the

@@ -276,8 +276,8 @@ sub scope_guard { Mojo::Util::_Guard->new(cb => shift) }
 
 sub secure_compare {
   my ($one, $two) = @_;
-  return undef if length $one != length $two;
-  my $r = 0;
+  my $r = length $one != length $two;
+  $two = $one if $r;
   $r |= ord(substr $one, $_) ^ ord(substr $two, $_) for 0 .. length($one) - 1;
   return $r == 0;
 }
@@ -792,7 +792,8 @@ Create anonymous scope guard object that will execute the passed callback when t
 
   my $bool = secure_compare $str1, $str2;
 
-Constant time comparison algorithm to prevent timing attacks.
+Constant time comparison algorithm to prevent timing attacks. The secret string should be the second argument, to
+avoid leaking information about the length of the string.
 
 =head2 sha1_bytes