WordPress should force all URL query string requests to be 255 characters or less
|Reported by:||_ck_||Owned by:|
In the core at startup, WordPress should force all $_GET variables over 255 characters to be either truncated or removed entirely for security. Optionally the entire query string should be checked for a length over 255 characters and force WP to die if so.
Apache unfortunately allows URL query strings to be up to 8192 characters long, which is happily passed to PHP and WordPress. This helps XSS and other URL query based attacks to get through. I've yet to see such an attack under 255 characters so let's make it much harder for them.
It is extremely unlikely any legitimate request via $_GET would be that long and instead a plugin author would use $_POST. Of course there are attacks that use $_POST too but let's plug the holes that we can.
RFC 2068 states that queries over 255 characters aren't necessarily tolerated, let's go for the lower bound.
Change History (7)
- Cc westi added
- Keywords needs-patch added
- Milestone changed from 2.7 to 2.8
comment:6 follow-up: ↓ 7 Viper007Bond — 5 years ago
- Keywords dev-feedback added; 2nd-opinion removed