Hostnames resolving to localhost are not considered 'local' in remote access warning #6049
As discussed in the forums (https://forum.syncthing.net/t/security-warning/13843/):
Since v1.3.0 the remote access warning considers the 'effective GUI listen address' to determine whether a warning should be shown.
As of now, this check only considers IP addresses 127./8, [::1] and unix sockets as local. Domain names/hostnames resolving to localhost such as 'localhost' are not considered local.
Syncthing Version: v1.3.0
PS: I'm not really happy with the issue title, if somebody has a better wording please change.
I posted the issue in the forum. Thanks for this.
I can tell you I did a default install, nothing special, and included with that version of SyncTrayzor, a month ago, was SyncThing 1.2.0. It autoupgraded to 1.2.2, then 1.3.0 last night. On a copy of Windows 7, and a completely separate computer running Windows 10.
127.0.0.1:8384 is what is in the address for GUI LISTEN ADDRESS, along with the message: 'The GUI address is overridden by startup options. Changes here will not take effect while the override is in place.'
Yes, that is all known and understood.
This is an issue that has technically been lingering for a while, but it wasn't visible until 1.3.0 due to a related change in 1.3.0 (c0b5a70). SyncTrayzor set's a default that makes sense but incorrectly triggers this warning (since 1.3.0). Apparently not enough people with SyncTrayzor tested RC 2, so it went unnoticed into the release. I personally have username/password set in the GUI, so I never got the message even with listen address set to "localhost".
By the way, it's Syncthing not SyncThing.
EDIT: I just saw you state that you get this message with listen address set to "127.0.0.1". Is this really what you see in SyncTrayzor? SyncTrayzor has a settings window which defaults to "localhost:8384". This can be accessed through File -> Settings -> Syncthing and overrides everything that you've set in the GUI.