id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,planetversion,pltversion
413,Querying malformed ObjectId fails to return,simon.haines@…,jaymccarthy,"When querying a malicious or badly-formed !ObjectId, mongo-collection-find fails to return. Perhaps it is waiting to decode more bytes?

To reproduce:
{{{
(define q (make-hasheq))
(hash-set! q '_id (string->bson-objectid ""test""))
(mongo-collection-find coll q)
}}}

The BSON !ObjectId datatype is 12 bytes, so a simple test in bson/shared.rkt should fix this:
{{{
(define (string->bson-objectid s)
  (let ([b (base64-decode (string->bytes/utf-8 s))])
    (if (= 12 (bytes-length b))
        (make-bson-objectid b)
        (error 'string->bson-objectid ""bad object id""))))
}}}

This is (similar to) the workaround I'm using in my code. I imagine (though have not confirmed) the error might be exposed through the dispatch operator as well (when typing in random URLs).",defect,closed,trivial,,jaymccarthy/mongodb.plt,fixed,bson objectid,,(1 11),