woocommerce icon indicating copy to clipboard operation
woocommerce copied to clipboard
verified publisher icon woocommerce

IP Lookup non-https data protection

Open kkmuffme opened this issue 2 years ago • 2 comments

Prerequisites

  • [X] I have carried out troubleshooting steps and I believe I have found a bug.
  • [X] I have searched for similar bugs in both open and closed issues and cannot find a duplicate.

Describe the bug

Followup to https://github.com/woocommerce/woocommerce/issues/29405

We use an outgoing firewall, that blocks all unencrypted traffic to comply with the California data protection requirements (I guess it's same in the EU). Especially since IPs are considered PII, this is a must for the geolocation.

Expected behavior

Use https only, drop all services that don't support HTTPs.

Actual behavior

Some http, some https

Steps to reproduce

see class-wc-geolocation.php

WordPress Environment

WC 8.8

Isolating the problem

  • [X] I have deactivated other plugins and confirmed this bug occurs when only WooCommerce plugin is active.
  • [X] This bug happens with a default WordPress theme active, or Storefront.
  • [X] I can reproduce this bug consistently using the steps above.

kkmuffme avatar Apr 02 '24 00:04 kkmuffme

Agree, but let's be sure to verify each supports HTTPS (on a very quick/incomplete test, ip-api.com may not, so we may have to leave some untouched).

barryhughes avatar Apr 03 '24 21:04 barryhughes

Adding that the ip-api.com is only available in http, not https. However, the url in WC_Geolocation Class $geoip_apis are incorrect for both ip-api.com and ipinfo.io:

'ipinfo.io' => 'https://ipinfo.io/%s/json', ip-api.com' => 'http://ip-api.com/json/%s',

Both return 404 due to the %s, removing these returns the geolocation info, as follows:

'ipinfo.io' => 'https://ipinfo.io/json', ip-api.com' => 'http://ip-api.com/json/',

benLBC avatar May 14 '24 06:05 benLBC