Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hostnames resolving to localhost are not considered 'local' in remote access warning #6049

Closed
GermanCoding opened this issue Oct 1, 2019 · 2 comments
Labels
bug
Milestone

Comments

@GermanCoding
Copy link

@GermanCoding GermanCoding commented Oct 1, 2019

As discussed in the forums (https://forum.syncthing.net/t/security-warning/13843/):

Since v1.3.0 the remote access warning considers the 'effective GUI listen address' to determine whether a warning should be shown.

As of now, this check only considers IP addresses 127./8, [::1] and unix sockets as local. Domain names/hostnames resolving to localhost such as 'localhost' are not considered local.

https://forum.syncthing.net/t/security-warning/13843/8, calmh said:

Prior to 1.3.0 the warning was just based on the config value, even if overridden externally. In 1.3.0 it’s based on the config or the overridden value but the logic is unchanged. The logic never accounted for names like “localhost”.
What we should do is just get the address from the GUI listener, so we get in IP form whatever it actually ended up listening to.

Version Information

Syncthing Version: v1.3.0

PS: I'm not really happy with the issue title, if somebody has a better wording please change.

@Dnominated

This comment has been minimized.

Copy link

@Dnominated Dnominated commented Oct 1, 2019

I posted the issue in the forum. Thanks for this.

I can tell you I did a default install, nothing special, and included with that version of SyncTrayzor, a month ago, was SyncThing 1.2.0. It autoupgraded to 1.2.2, then 1.3.0 last night. On a copy of Windows 7, and a completely separate computer running Windows 10.

127.0.0.1:8384 is what is in the address for GUI LISTEN ADDRESS, along with the message: 'The GUI address is overridden by startup options. Changes here will not take effect while the override is in place.'

That ^ hasn't changed. What did change, is with the roll-out of 1.3.0, I get a big red permanent warning
synctrayzor big red warning 1 3 0

@GermanCoding

This comment has been minimized.

Copy link
Author

@GermanCoding GermanCoding commented Oct 1, 2019

I can tell you I did a default install, nothing special, and included with that version of SyncTrayzor, a month ago, was SyncThing 1.2.0. It autoupgraded to 1.2.2, then 1.3.0 last night. On a copy of Windows 7, and a completely separate computer running Windows 10.

127.0.0.1:8384 is what is in the address for GUI LISTEN ADDRESS, along with the message: 'The GUI address is overridden by startup options. Changes here will not take effect while the override is in place.'

That ^ hasn't changed. What did change, is with the roll-out of 1.3.0, I get a big red permanent warning

Yes, that is all known and understood.

This is an issue that has technically been lingering for a while, but it wasn't visible until 1.3.0 due to a related change in 1.3.0 (c0b5a70). SyncTrayzor set's a default that makes sense but incorrectly triggers this warning (since 1.3.0). Apparently not enough people with SyncTrayzor tested RC 2, so it went unnoticed into the release. I personally have username/password set in the GUI, so I never got the message even with listen address set to "localhost".

SyncThing 1.2.0

By the way, it's Syncthing not SyncThing.

EDIT: I just saw you state that you get this message with listen address set to "127.0.0.1". Is this really what you see in SyncTrayzor? SyncTrayzor has a settings window which defaults to "localhost:8384". This can be accessed through File -> Settings -> Syncthing and overrides everything that you've set in the GUI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.