Warn the user if they're running with an insecure looking setup (fixes #2139)

2024-11-08 22:31:04 +00:00 · 2015-11-16 21:33:55 +01:00 · 2015-11-16 21:33:55 +01:00 · b1a86fbc98
commit b1a86fbc98
parent 9ae419201d
6 changed files with 51 additions and 10 deletions
--- a/cmd/syncthing/main.go
+++ b/cmd/syncthing/main.go
@ -892,6 +892,10 @@ func setupGUI(mainSvc *suture.Supervisor, cfg *config.Wrapper, m *model.Model, a
 		return
 	}

+	if guiCfg.InsecureAdminAccess {
+		l.Warnln("Insecure admin access is enabled.")
+	}
+
 	api, err := newAPISvc(myID, cfg, guiAssets, m, apiSub, discoverer, relaySvc, errors, systemLog)
 	if err != nil {
 		l.Fatalln("Cannot start GUI:", err)
--- a/gui/assets/lang/lang-en.json
+++ b/gui/assets/lang/lang-en.json
@ -32,6 +32,7 @@
   "Copied from elsewhere": "Copied from elsewhere",
   "Copied from original": "Copied from original",
   "Copyright © 2015 the following Contributors:": "Copyright © 2015 the following Contributors:",
+   "Danger!": "Danger!",
   "Delete": "Delete",
   "Deleted": "Deleted",
   "Device ID": "Device ID",
@ -117,6 +118,7 @@
   "Pause": "Pause",
   "Paused": "Paused",
   "Please consult the release notes before performing a major upgrade.": "Please consult the release notes before performing a major upgrade.",
+   "Please set a GUI Authentication User and Password in the Settings dialog.": "Please set a GUI Authentication User and Password in the Settings dialog.",
   "Please wait": "Please wait",
   "Preview": "Preview",
   "Preview Usage Report": "Preview Usage Report",
@ -169,6 +171,7 @@
   "Syncthing is upgrading.": "Syncthing is upgrading.",
   "Syncthing seems to be down, or there is a problem with your Internet connection. Retrying…": "Syncthing seems to be down, or there is a problem with your Internet connection. Retrying…",
   "Syncthing seems to be experiencing a problem processing your request. Please refresh the page or restart Syncthing if the problem persists.": "Syncthing seems to be experiencing a problem processing your request. Please refresh the page or restart Syncthing if the problem persists.",
+   "The Syncthing admin interface is configured to allow remote access without a password.": "The Syncthing admin interface is configured to allow remote access without a password.",
   "The aggregated statistics are publicly available at {%url%}.": "The aggregated statistics are publicly available at {{url}}.",
   "The configuration has been saved but not activated. Syncthing must restart to activate the new configuration.": "The configuration has been saved but not activated. Syncthing must restart to activate the new configuration.",
   "The device ID cannot be blank.": "The device ID cannot be blank.",
@ -193,6 +196,7 @@
   "The rate limit must be a non-negative number (0: no limit)": "The rate limit must be a non-negative number (0: no limit)",
   "The rescan interval must be a non-negative number of seconds.": "The rescan interval must be a non-negative number of seconds.",
   "They are retried automatically and will be synced when the error is resolved.": "They are retried automatically and will be synced when the error is resolved.",
+   "This can easily give hackers access to read and change any files on your computer.": "This can easily give hackers access to read and change any files on your computer.",
   "This is a major version upgrade.": "This is a major version upgrade.",
   "Trash Can File Versioning": "Trash Can File Versioning",
   "Unknown": "Unknown",
--- a/gui/index.html
+++ b/gui/index.html
@ -72,6 +72,29 @@

  <div class="container" id="content">

+    <!-- Panel: Open, no auth -->
+
+    <div ng-if="openNoAuth" class="row">
+      <div class="col-md-12">
+        <div class="panel panel-danger">
+          <div class="panel-heading"><h3 class="panel-title"><span class="fa fa-exclamation-circle"></span><span translate>Danger!</span></h3></div>
+          <div class="panel-body">
+            <p>
+            <span translate>The Syncthing admin interface is configured to allow remote access without a password.</span>
+            <b><span translate>This can easily give hackers access to read and change any files on your computer.</span></b>
+            <span translate>Please set a GUI Authentication User and Password in the Settings dialog.</span>
+            </p>
+          </div>
+          <div class="panel-footer">
+            <button type="button" class="btn btn-sm btn-default pull-right" ng-click="editSettings()">
+              <span class="fa fa-cog"></span>&nbsp;<span translate>Settings</span>
+            </button>
+            <div class="clearfix"></div>
+          </div>
+        </div>
+      </div>
+    </div>
+
    <!-- Panel: Restart Needed -->

    <div ng-if="!configInSync" class="row">
--- a/gui/syncthing/core/syncthingController.js
+++ b/gui/syncthing/core/syncthingController.js
@ -368,6 +368,15 @@ angular.module('syncthing.core')
                });
            });

+            // If we're not listening on localhost, and there is no
+            // authentication configured, and the magic setting to silence the
+            // warning isn't set, then yell at the user.
+            var guiCfg = $scope.config.gui;
+            $scope.openNoAuth = guiCfg.address.substr(0, 4) != "127."
+                && guiCfg.address.substr(0, 6) != "[::1]:"
+                && (!guiCfg.user || !guiCfg.password)
+                && !guiCfg.insecureAdminAccess;
+
            if (!hasConfig) {
                $scope.$emit('ConfigLoaded');
            }
--- a/lib/auto/gui.files.go
+++ b/lib/auto/gui.files.go
--- a/lib/config/guiconfiguration.go
+++ b/lib/config/guiconfiguration.go
@ -13,12 +13,13 @@ import (
 )

 type GUIConfiguration struct {
-	Enabled    bool   `xml:"enabled,attr" json:"enabled" default:"true"`
-	RawAddress string `xml:"address" json:"address" default:"127.0.0.1:8384"`
-	User       string `xml:"user,omitempty" json:"user"`
-	Password   string `xml:"password,omitempty" json:"password"`
-	RawUseTLS  bool   `xml:"tls,attr" json:"useTLS"`
-	RawAPIKey  string `xml:"apikey,omitempty" json:"apiKey"`
+	Enabled             bool   `xml:"enabled,attr" json:"enabled" default:"true"`
+	RawAddress          string `xml:"address" json:"address" default:"127.0.0.1:8384"`
+	User                string `xml:"user,omitempty" json:"user"`
+	Password            string `xml:"password,omitempty" json:"password"`
+	RawUseTLS           bool   `xml:"tls,attr" json:"useTLS"`
+	RawAPIKey           string `xml:"apikey,omitempty" json:"apiKey"`
+	InsecureAdminAccess bool   `xml:"insecureAdminAccess,omitempty" json:"insecureAdminAccess"`
 }

 func (c GUIConfiguration) Address() string {