Index: wp-includes/class-wp.php
===================================================================
--- wp-includes/class-wp.php	(revision 22002)
+++ wp-includes/class-wp.php	(working copy)
@@ -279,11 +279,28 @@
 			}
 		}
 
-		// Convert urldecoded spaces back into +
-		foreach ( $GLOBALS['wp_taxonomies'] as $taxonomy => $t )
-			if ( $t->query_var && isset( $this->query_vars[$t->query_var] ) )
-				$this->query_vars[$t->query_var] = str_replace( ' ', '+', $this->query_vars[$t->query_var] );
+		foreach ( get_taxonomies( array(), 'objects' ) as $taxonomy => $t ) {
+			if ( $t->query_var && isset( $this->query_vars[ $t->query_var ] ) ) {
+				// Don't allow non-public taxonomies to be queried outside the admin
+				if ( ! $t->public && ! is_admin() )
+					unset( $this->query_vars[ $t->query_var ] );
+				// Convert urldecoded spaces back into +
+				$this->query_vars[ $t->query_var ] = str_replace( ' ', '+', $this->query_vars[ $t->query_var ] );
+			}
+		}
 
+		// Don't allow non-public taxonomies to be queried outside the admin
+		if ( isset( $this->query_vars['taxonomy'] ) && ! is_admin() ) {
+			$queryable_taxonomies = get_taxonomies( array( 'public' => true ) );
+			if ( is_array( $this->query_vars['taxonomy'] ) ) {
+				$this->query_vars['taxonomy'] = array_intersect( $this->query_vars['taxonomy'], $queryiable_taxonomies );
+				if ( empty( $this->query_vars['taxonomy'] ) )
+					unset( $this->query_vars['taxonomy'], $this->query_vars['term'] );
+			} elseif ( ! in_array( $this->query_vars['taxonomy'], $queryable_taxonomies ) ) {
+				unset( $this->query_vars['taxonomy'], $this->query_vars['term'] );
+			}
+		}
+
 		// Limit publicly queried post_types to those that are publicly_queryable
 		if ( isset( $this->query_vars['post_type']) ) {
 			$queryable_post_types = get_post_types( array('publicly_queryable' => true) );