simple WordPress and bbPress security plugin to block long requests
I opened a WordPress security ticket today with something that’s been bothering me for awhile – Apache will take long URL queries up to 8k (8192) characters in length but it’s completely unnecessary and allows XSS exploits to get into WordPress and bbPress. Why not block them entirely with this scrap of a plugin (save as “_block_long_queries.php” without the quotes but with the leading underscore so it loads as early as possible and doesn’t need activation – also can’t be easily deactivated by hackers)
Should only add a trivial amount of overhead but might save you one day from an unpatched bug. I’ve yet to see an exploit via $_GET that’s less than 255 characters. Won’t do anything for $_POST exploits but every little bit helps.
(updated March 13 2011 to more efficient/sensitive version)